Why is IRI FieldShield the best choice for profiling and protecting personally identifiable information (PII), complying with data privacy laws, nullifying data breaches and masking production data for testing? Browse through these nine areas of rationale for some of the differentiating product highlights, and peruse the other tabbed pages on FieldShield above. Please also review our robust data masking and test data sections, and self-learning articles on point here, to learn even more.
Only FieldShield includes multiple data source profiling tools and scanning methods to help you classify and locate PII in flat files, databases, and Excel, and cloud storage repositories. Build statistical reports and charts, ER diagrams, multiple searches, and new target schema.
Only FieldShield protects sensitive data, at rest or in transit, with dozens of masking functions across 15 different categories to support an unlimited number of business rules and data-centric conditions. You can mask multiple database and file sources separately, or in combination (e.g., ETL environments) with other operations in the same job and I/O pass.
Static data masking jobs can run on source (and on the fly to) or on replicated data through: 1) the command-line executable, 2) API calls (see the SDK for .NET, C/C++, and Java), 3) the free IRI Workbench Eclipse™ GUI for FieldShield, 4) batch scripts, 5) job schedulers, 6) CI/CD pipelines; 7) SQL procedures, 8) real-time DB refresh operations in IRI Ripcurrent; or, 9) third party programs making system calls. Also available for is a separate DDM by proxy system. It is thus possible to effect dynamic data masking and unmasking (encryption and decryption as well) in a number of ways, in addition to static data masking, using FieldShield.
The need-based, field-level protections in FieldShield complete faster than full database or device-centric encryption approaches, especially in real-time. FieldShield masking functions also consume less CPU and I/O. They can even run on a conditional basis, tied to new or specific rows, ranges of values, or discrete values.
FieldShield also uses the decades-proven and -enhanced big data movement engines of its parent product, IRI CoSort to scale performance in volume linearly. A 21-million row Oracle table with multiple columns to encrypt was masked and updated from a LAN-connected Windows PC using FieldShieldin11 minutes.
In IRI Voracity, there are Hadoop options to run FieldShield jobs to scale horizontally and elastically -- without recoding -- too. So if performance in volume is a concern, FieldShield is the only choice.
FieldShield allows you to specify data protections on a conditional basis using either SQL SELECT syntax or /INCLUDE-OMIT logic in your jobs, so that you can target protection function based on a pattern, value, or range in a specific column or string.
Choose a protection for each field from any of the masking function categories, or your saved rules, based on your business rules. Consider a health insurance claim table with 19 columns, 3 of which have PHI: pseudonymize the name, mask the SSN, encrypt the medical billing code, and leave the remaining data alone.
FieldShield masking functionality also seamlessly extends into various test data scenarios in IR IWorkbench, including the application of masking functions in the database subsetting wizard, ETL operations, direct population of referentially correct tables in lower non-production environments, or the virtualization of test data for immediate DevOps needs.
Most encryption solutions have one method or key, and cover an entire data source or device. If compromised, everything is exposed. With FieldShield, other fields are still protected even if one is breached. Multiple encryption functions and keys for different fields and different recipients also help, as do the choice of three internal key management methods plus proven integrations with the Microsoft Azure Key Vault and Townsend Security Alliance Key Manager system.
Security of the masked data is also enhanced through FieldShield'sincluded risk measurement capabilities. Research and marketing data sets with masked identifiers can still have quasi-identifiers unmasked. FieldShield users can score re-identification risk and further generalize the data to preserve its utility while reducing the ability of attackers to expose individuals in the data set.
FieldShield can produce a single secured output for multiple recipients, with selective authorization to reveal the plaintext controlled by managed en(de)-cryption keys. This reduces protection time, storage, and the complexity (synchronization problem) of managing disparate versions of the output.
FieldShield can also produce multiple outputs for distributed anonymization scenarios. Either way, however, by specifying all the protections in one FieldShield program, there is only one job to create, manage, and audit.
You can easily apply a common protection rule to multiple tables at once (without Java), and re-use that rule in other data protection, etc. jobs. This GUI-supported feature saves design time, automates rule application, and preserves referential integrity.
Compliance team members can unify and control their data and FieldShield metadata assets in the cloud with a free metadata management hub (e.g., EGit).
FieldShield uses self-documenting 4GL scripts to define the layouts and masking of table columns and file fields. And with the IRI Workbench GUI, built on Eclipse™, even the simple syntax need not be learned or hand-coded. Scripts interact with a color-coded syntax-aware and graphical form editor with graphical outlines, as well as parameter modification dialogs and transform mapping diagrams all interactively, and in the same pane-of-glass.
User-friendly data discovery and job definition wizards also help you design and build those scripts automatically. Data and job specs are easy to modify in the GUI or any text editor ... something else other data masking tools don't offer.
FieldShield runs on all Unix, Linux, and Windows platforms, and operates on all ODBC-connected database tables, and the sequential file formats common to most applications and mainframes, including files with header and footer records.
FieldShield also uses the same metadata and Eclipse GUI (IRI Workbench) as:
- IRI DarkShield for finding and masking PII in multiple unstructured sources
- IRI CellShield EE for finding and masking PII in Excel sheets LAN-wide
- IRI CoSort for data transformation and reporting
- IRI RowGen for realistic test data synthesis or subsetting
- IRI NextForm for database, file, and data conversion and replication
- IRI FACT (Fast Extract) for unloading very large databases
- IRI Voracity for total data management; i.e., discovery, integration, migration, governance, and analytics, where FieldShield data masking functions can be expressed and executed in the same job and I/O pass with data transformation, database subsetting, cleansing, replication, and reporting operations for example.
Many of the same masking functions in FieldShield are also plug-compatible with IRI CellShield for masking PII ergonomically in Excel spreadsheets and the IRI DarkShield API for masking PII in unstructured text/log files, PDF/MS Office documents, NoSQL databases, images, and faces.
You can also run FieldShield job scripts alongside Windocks, Actifio or Commvault cloning operations to seamlessly mask copies of the databases you are virtualizing/replicating for testing. Similarly for integrated test data provisioning, FieldShield, DarkShield, or RowGenjobs can be called into Amazon CodePipeline, Azure DevOps, GitLab, and Jenkins CI/CD operations.
FieldShield data definition files work with all IRI products, and are compatible with DataSwitch, erwin (AnalytiX DS) Mapping Manager and the Meta Integration Model Bridge (MIMB). Their .ddf data layout file support means you can quickly leverage the existing metadata in your ETL, BI, and modeling tools for FieldShield and other IRI software.
FieldShield creates data mapping diagrams and queryableXML (and soon JSON) job logs to verify the steps you took to comply with data privacy regulations. The logs contain the runtime and application environment that auditors need. The logs can be public or private (e.g., via free EGitasset security), and populate SIEM tools like Splunk through add ons like this.
FieldShield can also score the risk of re-identification based on the distinction and separation values it finds in your data's indirect, or quasi-identifiers, and produces graphs and reports to help you further generalize those values and comply with FERPA and the HIPAA Expert Determination Rule.
FieldShield as a standalone product is licensed for perpetual use in the low five figures, and is discounted in volume and distributed runtime integration scenarios. Five FieldShield masking engine licenses are alternatively included at no charge -- along with IRI CellShield EE, IRI DarkShield, and IRIRowGen(for test data synthesis and DB subsetting) -- in the base tier of IRI Voracity data management platform subscriptions.
IRI is a stable, US-based company (since 1978) not weighed down by external shareholders or bloated marketing expenses. Customers appreciate these savings, and the included use of compatible FieldShield functino swithin broader Voracity data management platform operations involving data discovery, integration, migration, governance, and analytics.