Static Data Masking
Persistent data masking, or Static Data Masking (SDM) is the primary method of protecting specific data elements at rest. These "elements" are typically database column or atomic (fixed or floating) values that are considered sensitive. These elements may contain personally identifiable information (PII), protected health information (PHI), primary account numbers (PAN), trade secrets, or other private values.
SDM is used to nullify data breaches, provide safe test data, and comply with data privacy laws. Compare it to Dynamic Data Masking (DDM), which selectively redacts sensitive values for database applications.
The "startpoint" data-centric security products IRI FieldShield, IRI DarkShield and IRI CellShield -- or the IRI Voracity platform that includes them -- centrally classify data at risk and provide more data discovery and SDM functions for more data sources than any other data masking stack. FieldShield also provides state-of-the-art re-ID risk scoring. Referential integrity, or deterministic data masking, is achieved through their automatic application of consistent masking functions.
The available categories of per-element functions include:
- multiple, NSA Suite B and FIPS-compliant encryption (and decryption) algorithms, including format-preserving encryption
- SHA-1 and SHA-2 hashing
- ASCII de-ID (bit scrambling)
- binary encoding
- data blurring and generalization
- redaction (string masking)
- reversible and non-reversible pseudonymization
- expression (calculation / shuffle) logic
- conditional / partial filtering (omission)
- custom value replacement
- byte shifting and sub-string functions
- tokenization (for PCI)
You can also "roll your own" external data masking function. This allows you to call a custom field protection at runtime instead of a built-in function
Whether built-in or custom, you can apply functions conditionally to specific rows or columns, and across tables through protection rules you can define, store, and re-use. It is also possible to apply these functions in a dynamic data masking (DDM) context.
Create, run, and manage your data masking jobs in a free state-of-the-art GUI, built on Eclipse.™ Or, use the same, simple, self-documenting 4GL metadata defining your data layouts and protections in a command line environment.
If you have sensitive data in Excel, check out IRI CellShield. CellShield EE supports many of the same encryption, redaction and psedudonymization functions as FieldShield.
If you have sensitive data in unstructured text, log, MS Office, Parquet or PDF files, or in semi- or unstructured RDB columns or NoSQL DB collections, check out IRI DarkShield. The DarkShield API supports all, and the DarkShield GUI supports at least half, of the static data masking functions in the categories listed above. The same deterministic (consistent) data masking results apply across all the IRI shield tools so you can preserve data (and referential) integrity across the all enterprise data sources they protect.
Did You Know?
FieldShield is the award-winning, fit-for-purpose static data masking product for databases and flat files built on Eclipse and powered by IRI CoSort. FieldShield -- along with DarkShield and CellShield -- is also a member product of the IRI Data Protector suite, and is included with IRI Voracity total data management platform subscriptions.
Voracity users can run these static masking functions along with data discovery, integration, migration, governance, and analytic operations. For example, they can simultaneously cleanse, encrypt, and sort data for safe bulk DB loads; mask data migration/replication or subset targets; and, build a delta report or ETL job that also de-identifies fields.