Data Loss Prevention Solutions

 

Next Steps
Overview Auditing DPDPA CPRA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Content-Aware Data Loss Prevention 

Data loss prevention (DLP) activities start with the profiling of data at risk, be it in motion or at rest. Next is the protection of that data with the proper application of security functions and protocols. Together these activities constitute a powerful form of content-aware DLP.

Leading DLP solutions offer scanning, filtering, highlighting, and monitoring solutions (to enforce protections) for data at risk. The granular data classification, discovery and de-identification technology in these IRI data masking tools:


IRI DarkShield data vulnerability heat map of PII discovery results


  • FieldShield for finding and masking classified data in RDBs and flat files
  • CellShield for doing the same, but within and across Excel® spreadsheets
  • DarkShield for the same sources above, plus semi- and unstructured sources
  • Voracity for all the above, plus cleansing, integrating, and wrangling all that data



can work alone or in tandem with other data classification and scanning tools to allow authorized users to: profile (classify and search), protect (mask or delete), and prove (risk score and audit) they acted to prevent -- or at least nullify -- the loss of sensitive data. Learn more in the tabs below.


Profile (Classify/Scan)
Protect (Mask/Delete)
Prove (Risk-Score/Audit)
X

Profile (Discover)

Classify, profile, and scan sources of sensitive data through location and content-based searches of multiple sources simultaneously. Identify, isolate, diagram and report on data at multiple table, files, and other sources at once. IRI DarkShield search and masking logs and the dashboard charts you can produce from them produce heat maps of ranked data risk like these:

 

When data is in flat files or databases, IRI FieldShield can also protect it from misuse. Built in data format (composite) template and range capabilities provide for content-aware identification and validation of columnar values. DarkShield uses the same data class definitions to locate and report on those values too, as well as data in semi-structured and unstructured data sources on-premise and in the cloud.

Protect (Mask)

Choose and apply built-in or custom data masking functions for sensitive fields. Choose which function to apply based on your need for:

  • Security - how strong the encryption or other algorithm needs to be
  • Speed - which functions conceal data (and/or reveal) faster
  • Reversibility - whether you need to re-identify the data later
  • Appearance - if the ciphertext needs to retain the original format

Apply these functions ad hoc or en masse (consistently across sources) using rules. For example, use pattern-matching expressions to automatically apply a format-preserving encryption key to certain tables, while using another key on others. This consistency in data masking function application preserves referential integrity.

Direct the output to the same source or new target. Assert both data- and role-based access controls that persist, wherever the data may later exist. This goes well beyond what other encryption-only or DLP-centric solution providers offer.

Prove (Audit)

Verify that your PII data discovery and masking operations actually protected or de-identified the data at risk with statistical output and an audit trail. IRI job stats show column names, number of rows input/protected/output, and more.

The job specification script itself is self-documenting and easy to review in a text editor or in the GUI. It is also automatically integrated into a query-ready XML audit file. That log file also contains system information; e.g. who ran the job, where, and when.

Together with the sources and targets they identify, these records help validate the work you did to comply with data privacy laws.

Frequently Asked Questions (FAQs)

1. What is data loss prevention (DLP)?
Data loss prevention (DLP) refers to technologies and practices designed to detect, protect, and prevent the unauthorized access, transfer, or exposure of sensitive data, whether it's in motion, in use, or at rest.
2. How does content-aware DLP differ from traditional DLP?
Content-aware DLP focuses on the actual content of data—such as PII or PHI—rather than just location or file type. It finds and classifies data with multiple search matchers (e.g., patterns, values, AI models) and masks it to ensure sensitive data is discovered and protected regardless of where it resides.
3. What types of data sources can IRI DLP tools scan?
IRI DLP solutions can scan structured data (like databases and flat files), semi-structured data (like XML, JSON, and log files), and unstructured data (such as PDFs, emails, and documents) both on-premise and in the cloud.
4. How does IRI identify and classify sensitive data?
IRI tools use predefined and customizable data classes found with multiple search methods, including pattern-matching expressions, composite templates, and range definitions to locate and classify sensitive data across multiple databases, file types and storage environments.
5. What data masking techniques are available in IRI tools?
IRI supports a wide range of data masking techniques, including encryption, redaction, bit shifting, fabrication, twiddling, pseudonymization, hashing, scrambling, blurring, and (format-preserving) encryption, depending on security, speed, and reversibility needs.
6. Can I apply different masking rules for different data sets?
Yes. You can apply rules at scale or ad hoc using job scripts and data class definitions. IRI allows flexible control over masking functions to maintain consistency across environments and preserve referential integrity.
7. What is referential integrity and how is it preserved?
Referential integrity ensures consistent relationships between data records after masking. IRI tools preserve this by applying deterministic masking functions that maintain matching values across tables or files.
8. How does IRI prove that data has been properly masked?
Each job creates a self-documenting script and an XML audit file that includes details like the user, masking functions applied, time of execution, and number of records processed—providing verifiable compliance evidence.
9. What visualizations does IRI offer for risk assessment?
IRI DarkShield offers dashboard reports, including heat maps and bubble charts, that visually rank the risk of each data source based on discovery results. This helps prioritize remediation efforts.
10. Can I integrate IRI DLP logs with third-party systems?
Yes. IRI-generated audit logs and search artifacts can be exported and integrated with log4j2, Excel, and security information and event management (SIEM) systems like Splunk or Datadog for further analysis, alerts, and action.
11. What is the role of access controls in IRI DLP?
IRI solutions allow both role-based and data-based access controls. This ensures only authorized users can view or alter sensitive data, masking jobs, keys, or audit logs—enforcing security at every step.
12. Can IRI tools prevent data loss or just mitigate it?
While no solution can prevent all breaches, IRI tools significantly reduce the risk by discovering, masking, and logging sensitive data—minimizing the impact of unauthorized access or leaks.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.