A lire sur: http://www.gartner.com/technology/reprints.do
12 December 2013 ID:G00247005
Analyst(s): Joseph Feiman, Brian Lowans
Organizations should use data masking to protect sensitive data at rest and in transit from insiders' and outsiders' abuse. The market offers static and dynamic masking of relational and mainframe-based data, and begins to mask big and unstructured data.
Sensitive personal data, such as credit card numbers, Social Security numbers and other personally identifiable information — as well as health data and even nonpersonal sensitive data (such as corporate financial information and intellectual property) — is exposed to abuse or negligence from enterprise employees and outsiders.
Data masking aims to prevent the abuse of sensitive data by hiding it from users. Technology vendors offer multiple data masking techniques, such as replacing some fields with similar-looking characters, replacing characters with masking characters (for example, "x"), replacing real last names with fictional last names and reshuffling data in the database columns. "Data masking" is also known as data obfuscation, data sanitization, data scrambling, data deidentification, data anonymization and data deauthentication.
Adopting data masking helps enterprises raise the level of security and privacy assurance. At the same time, data masking helps enterprises meet compliance requirements with the security and privacy standards recommended by regulating/auditing authorities.
Potential abusers, whom data masking aims to deter, are often enterprise employees or employees of outsourcing firms, such as users of test databases (such as programmers, testers and database administrators) or users of analytical and training databases (such as analysts, researchers and trainees).
Data masking technologies should satisfy a simple, yet strict, rule: Masked data should be realistic and quasi-real — that is, it should satisfy the same business rules as real data. This is to ensure that the application running against masked data performs as if the masked data is real. Data masking must not limit a user's ability to adequately use applications.
Data masking technology comes in several flavors:
Static data masking (SDM) is a technology to deter the misuse of data by users (typically programmers and testers) of nonproduction (mostly test, but also training and analytics) databases by masking data before it is used.
Dynamic data masking (DDM) masks production data in real time (see "Securing Production Data With Dynamic Data Masking" [Note: This document has been archived; some of its content may not reflect current conditions]). Typically, a DDM monitor intercepts each request to a database that retrieves data (either an ad hoc query or an application's query) and analyzes it. Then the DDM monitor modifies the database response by masking sensitive data according to the masking rules and user entitlements. As a result, the user who placed the request gets access to only the data to which he or she is entitled. Requested modification can be done in different ways; yet, whatever the case — and this is a fundamental feature of DDM — no physical changes to the original production data take place.
Data redaction masks unstructured content, such as documents and spreadsheets — for example, PDF, Word and Excel files.
Although still evolving, SDM is the most mature of these technologies, while DDM and data redaction are in earlier phases of evolution (see "Hype Cycle for Application Security, 2013"). However, the market is heading toward a consolidation of the capabilities, and vendors have begun offering more than one flavor of data masking. Data masking has emerged to address relational databases as well as mainframe databases and files. Currently, in response to demand, the market has begun offering SDM and DDM for big data platforms.
We view data masking not in isolation, but rather as an integral part of a broader portfolio of data security technologies. In this Magic Quadrant, we tightly focus on vendors' ability to offer more than one data masking technology — that is, SDM and DDM, and, to a somewhat lesser degree, data redaction. In addition to that, we value vendors' ability to offer a broader range of data security technologies, such as database audit and protection (DAP), tokenization, and encryption (see "Apply the Nine Critical Capabilities of Database Audit and Protection"). We also highly value vendors' ability to innovate in the rapidly emerging business case of data masking for big data platforms.
Axis Technology was founded in 2000 as a consultancy. In 2006, it created a separate division to develop and market its data masking technology, DMsuite. Axis is for users that need to mask data on various platforms through user-friendly graphical user interfaces (GUIs). Axis offers its technology at a reasonable price, and provides strong technical support and professional services to meet clients' specific needs. Axis demonstrates its vision by beginning to offer technologies for masking big data platforms, and by masking data for use in the cloud.
DMsuite has a Web-based interface that enables multiple distributed user access to its features.
Axis recently started offering a service that takes enterprise-based data, masks it and places it in the databases in the cloud.
It offers a user-friendly, easy-to-learn and easy-to-configure technology at a reasonable price.
Axis started offering SDM for Hadoop, Cloudera and Hortonworks.
Axis has announced its sales partnership with data virtualization vendors Delphix and Actifio. Data virtualization aims at offering a virtual copy of data instead of a real subset of data.
Its sales are mostly limited to the U.S., although it has recently begun expanding its reach.
Axis does not have the data management technologies, such as test data management (TDM) and archiving, that often accompany the SDM offerings of the Leaders and some Challengers.
Axis does not have the data security products, such as DAP, that often accompany the SDM offerings of the Leaders and some Challengers.
Its DDM is a custom solution for users that need DDM.
Camouflage Software has demonstrated its vision and dedication to data masking by becoming one of the early SDM vendors (its first product was released in 2004), and by choosing a highly visible domain name: www.datamasking.com. It earned mind share among clients of the emerging market, and gained experience and market understanding. It markets its SDM technology under the name Data Masking Lifecycle Management Suite. It appeals to clients that are looking for a vendor's willingness to help with product customization and adjustment to enterprises' needs, and also looking for reasonable pricing that is affordable to bigger and smaller enterprises.
Camouflage earned a strong product reputation for its SDM tool, as well as for its technical support and willingness to help users.
Camouflage offers reasonable pricing. Recently, it has demonstrated market understanding by offering a price model based on the volume of the data targeted for masking — a model that is well-understood by developers and testers, who are the main users of SDM.
Its tool is user-friendly and easy to learn, and it is flexible to install, configure and customize.
Camouflage offers DDM technology.
Camouflage does not offer masking for big data platforms. Its data redaction is limited to Excel files. It has just started offering DDM, which is limited to Oracle Database only, and it has plans to add Microsoft SQL Server in 1H14.
Camouflage has made significant investments in sales and marketing relative to the size of its operations; however, it requires further investment to scale its operations accordingly, and to enhance its sales and marketing capabilities, especially against significantly larger vendors.
Camouflage markets its technology mostly in North America. It has a small network of partners that offer its technology and respective services, although its evolving partnership with KPMG creates an opportunity to increase its marketing capabilities.
Camouflage does not have the data management technologies that often accompany Leaders' and some Challengers' offerings.
Compuware offers a variety of technologies in areas such as application performance monitoring, horizontal portals, business portfolio management and mainframe solutions. Its SDM Test Data Privacy technology is positioned as part of Compuware's mainframe solution division, and has addressed distributed and mainframe platforms since its launch. Compuware's SDM product makes a strong case for its use in large, enterprisewide projects on a mainframe platform, or in a mixed mainframe and distributed platform, with a focus on the mainframe.
Compuware demonstrates expertise in SDM deployments in large-scale projects, especially with mainframe platforms.
It has a well-defined, extensive, best-practice-based methodology and maturity model for SDM implementations.
Compuware offers mainframe TDM solutions, as well as its line of file/data management products.
Experts are available to assist clients in SDM implementations, including long-term engagements.
Its geographical reach is beyond North America, and it provides support for Unicode, which is important to markets outside North America.
Compared with Leaders and many Challengers and Visionaries, Compuware lacks data security technologies, such as DDM and DAP. Its data redaction is limited to Excel files and text fields contained in relational and nonrelational databases.
Compuware does not demonstrate innovations in emerging areas, such as data masking for big data platforms.
It lacks a focus on and reputation in the security space. Its SDM reputation lacks balance between mainframe and distributed platforms. Typically, enterprises that prefer Compuware's SDM are heavy mainframe users, while users of mainly distributed platforms typically look at other SDM vendors.
It lacks clarity in positioning its SDM technology. SDM's place within Compuware's organizational structure and lack of security marketing weaken its recognition and adoption.
Discovery technology, which is critical to SDM, is augmented and extended by Compuware's partner, Dataguise, an SDM vendor that has a nonexclusive partnership with Compuware.
Dataguise started as an SDM vendor in 2007. Recently, it received $13 million in investments from venture capital firms. This gives Dataguise an opportunity to expand its clientele and strengthen its innovation in sensitive data discovery and masking for big data platforms. Dataguise markets its SDM product under the name DgSecure. Dataguise is suitable for organizations that are looking for an easy-to-learn, user-friendly product with a flexible masking rule engine and good performance characteristics at reasonable price. It should also be considered by enterprises that adopt big data platforms, and that need to discover and mask sensitive data stored in them.
Dataguise has strong discovery technology, which its partner, Compuware, uses in its own SDM offering for distributed platforms.
Dataguise's technology is easy to learn, and its Web-based architecture supports multiple user locations.
It provides strong customer service, mentoring and customization for clients' needs.
It is one of the pioneers in Hadoop data masking for MapR, Cloudera, Hortonworks, Greenplum and InfoSphere BigInsights distribution, with a good reputation earned from the emerging clientele that needs data masking on big data platforms.
For the past few years, Dataguise's growth has been slow, partially due to the lack of resources. Through 2014, customers and prospects should watch how Dataguise expands its market presence through the implementation of its plans for revenue and market share growth using recently received investments.
Dataguise's market is mostly limited to the U.S. Dataguise focuses mostly on finance, government and healthcare vertical industries.
It lacks TDM technologies. It also lacks some of the data security technologies (such as DDM, DAP and data redaction) that often accompany SDM.
It masks a limited number of databases, compared with Leaders and some Challengers: Oracle, Microsoft SQL Server, DB2 (distributed and mainframe), MySQL and Postgres.
Epi-Use Labs — vendor of the Data Secure tool — is a wholly owned subsidiary of the privately held Epi-Use Group, which is focused on supporting SAP developers' needs. It has been marketing the Data Secure SDM tool since 2009. The Epi-Use product is suitable for organizations that are focused on masking data for SAP applications only, and that are looking for a transparent masking process with a variety of prebuilt functionality for SAP applications and masking rules for most typically masked data fields. In its repository, Data Secure has the profiles of numerous SAP objects with already-defined relationships, as well as the locations of those objects — which is a significant simplification for implementing data masking processes.
Epi-Use addresses the needs of users of one of the most popular enterprise-class commercial off-the-shelf applications: SAP.
It also addresses the data masking process on an application logic level, making it more transparent to SAP developers/security specialists.
Data Secure is part of a broader Data Sync Manager suite that addresses development, testing and data management needs for SAP applications.
EPI-Use reaches out to a global clientele. It has offices in the U.S., the U.K., Germany, South Africa, Latin America and Asia/Pacific; as well as development centers in Atlanta, South Africa and Germany.
Epi-Use's strategy is limited to masking databases that are used only through SAP applications.
Epi-Use does not offer DDM.
Epi-Use does not offer data redaction. It also does not offer DAP technology, which often accompanies some other vendors' offerings.
It does not support data masking for big data platforms.
GreenSQL was founded in 2009 and has offered its GreenSQL Dynamic Data Masking product since 2012. GreenSQL also offers other data security technologies for database activity monitoring and protection. Convenient integration of several database security technologies, affordable pricing and ease of implementation make it a good fit for small or midsize businesses' (SMBs') needs. GreenSQL has clients in the U.S., Europe and Asia/Pacific.
GreenSQL provides a single platform that combines DDM and DAP functionality, such as database activity monitoring, database intrusion prevention, database firewall and SQL injection protection. It also offers discovery of malware hidden in blobs stored in database tables.
It is easy to install and implement. Its caching technology aims at minimizing the performance impact of DDM.
It is a good fit for SMBs' needs and pricing ranges.
It secures the following cloud databases: Amazon Relational Database Service (RDS) for Microsoft SQL Server, Amazon RDS for MySQL and Windows Azure SQL Database.
GreenSQL does not offer SDM.
GreenSQL secures only SQL lines of relational databases: SQL Server, MySQL, MariaDB, Amazon RDS for Microsoft SQL Server, Amazon RDS for MySQL and Windows Azure SQL Database.
Grid-Tools was founded in 2004 to deliver test data discovery, design, creation, refreshment, comparison, management and data masking, which it combines in its Datamaker suite. Datamaker is optimized for SDM use by application testers, and it fits well into an agile development paradigm.
The company offers an advanced, scalable technology aimed at complex and large environments with a multiplicity of various interconnected databases on mainframe and distributed platforms.
Grid-Tools offers synthetic data generation in addition, or as an alternative, to data masking.
It also offers advanced techniques for assuring application integrity and the quality of the test data (for example, dynamically building SDM templates while doing discovery for higher accuracy of representing the most current state of the data).
It demonstrates higher performance in large and complex development/test environments.
Grid-Tools' pricing model is clear and understandable for developers and testers.
The U.K.-based company is creating a network of partners (such as CA Technologies, HP, Software AG and Teradata) to reach into other geographies (particularly the U.S.).
Grid-Tools targets primarily developers and testers, and, to a lesser degree, security professionals.
It lacks data security technologies — especially DDM, and also DAP — that are used to protect production data, and are often offered by Leaders and some Challengers.
Its data redaction is for PDF and image files only.
It does not offer masking for the Hadoop platform, although it has plans to do so in 2014.
IBM entered the SDM market in 2007 by acquiring Princeton Softech with its Optim technology. After IBM acquired DAP vendor Guardium in 2009, the resources of the two acquisitions were combined, accelerating the development of DDM. IBM markets its SDM product as InfoSphere Optim Data Privacy. Its DDM product can be acquired as part of InfoSphere Guardium Data Activity Monitor, or as part of InfoSphere Optim Data Privacy. As part of the solution, IBM offers discovery and subsetting. IBM technology is for enterprises with homogeneous or heterogeneous environments, with many and various databases and files. These enterprises are typically large ones that are pressed by security and compliance regulations.
IBM has a strong SDM reputation and the largest installed client base. It is the most frequently referenced SDM vendor by Gartner clients — especially large ones.
It provides DDM technology that intercepts and masks queries at the database layer. In 2014, it plans to release a tool that masks queries intercepted at the Web application layer.
IBM provides technologies that are often requested by users shopping for SDM and other data security technologies (such as DDM, data redaction and DAP), as well as for TDM, data archiving, application retirement, e-discovery, data management, DBMS, and application development and testing technologies within its Rational suite.
It has the availability of resources to operate globally.
In 2013, IBM introduced a price model alternative to its processor-based price model. The new model is based on the volume of masked data, which might better appeal to users seeking a lower-priced data masking package.
Clients often report that IBM's core-based pricing model is too expensive, and Gartner recommends that our clients evaluate the new pricing model based on the volume of masked data.
Many clients point to the complexity of learning IBM's SDM technology suite. IBM recently introduced a new version of its SDM tool with a simplified user interface, and we recommend that our clients evaluate it.
The quality of sales and technical support skills is inconsistent across IBM's growing prospect and client base. Some clients complain about the quality of presales and postsales support.
IBM masking for big data platforms has been available since 1Q13. In 4Q13, IBM unveiled InfoSphere Data Privacy for Hadoop, which includes masking and data activity monitoring in a single solution. Because this is a new offering, customers will have to evaluate their requirements against its capabilities.
Informatica has historically offered some data masking features within its data management toolset. It combined them with features of the SDM tool from Applimation, which Informatica acquired in 2009. In 2011, it also acquired DDM startup ActiveBase. It markets its SDM product as Informatica Persistent Data Masking, and its DDM product as Informatica Dynamic Data Masking. Informatica's SDM and DDM appeal to enterprises with complex and heterogeneous database environments. Current users of Informatica's PowerCenter and its Application Information Lifecycle Management (ILM) products are more likely to put Informatica's data masking on their shortlists because it complements the data management features they already use.
Informatica has a strong SDM reputation and one of the largest installed SDM customer bases. It is one of the top SDM vendors that Gartner clients frequently reference.
Informatica clients implement large-scale, mission-critical DDM projects. Informatica also offers data redaction for PDF, Microsoft Word and Excel documents, XML, and various other files.
It is a leader in data management — that is, data integration, data quality and master data management of customer data solutions.
Informatica continues to exhibit innovation in the DDM space. In 4Q13, it announced DDM for Hadoop, Cloudera, Hortonworks and MapR.
It is expanding its geographical reach. Informatica partners with global system integrators and external service providers (ESPs), such as Cognizant, that use its SDM.
Informatica's lack of clarity in stating that data security is a strategic direction limits its opportunities in the data security space.
Many clients, especially smaller ones, point to the high cost of Informatica's data masking tools. Informatica recently released a lower-priced cloud-based solution and a free (with limited options) cloud-based solution, and we recommend that our clients evaluate them.
Many clients state that technical support personnel lack the necessary skills in data masking, and that their skills are lower than Informatica's traditionally good skills in data management support.
It does not offer its own DAP (which is offered by other Leaders); instead, it relies on its partnership with Imperva for that.
Informatica's masking for big data platforms was delivered in 4Q13. Currently, however, it is unproven, and future customers should be watching how this new offering may be able to address their needs.
Mentis offers a portfolio of solutions for sensitive information management, including SDM (iScramble), data discovery (part of the Mentis platform), data access monitoring (iMonitor), DDM and data redaction (iMask), and database intrusion prevention (iProtect). Mentis' primary sales target is the financial industry. Mentis will meet the needs of enterprises that are looking for strong discovery technology; friendly support, mentoring, and a willingness to understand and accommodate client requirements; useful templates for packaged systems, such as Oracle E-Business Suite and PeopleSoft; and technologies beyond SDM that aim to protect production data in real time.
In addition to SDM, Mentis offers DDM and DAP. Intelligence acquired by all its tools is shared across the platform.
To increase the accuracy of discovery, it analyzes not only data, but also application codes that access data, such as Java, C++, Oracle Forms, PL/SQL, T-SQL and COBOL.
It offers strong support of ERP systems, such as Oracle E-Business Suite and PeopleSoft.
Mentis offers a pricing model that is understandable by developers and testers. It charges per application or per group of applications to be masked.
Mentis offers a data masking process methodology that is well built into its technology.
Clients buy Mentis' DDM and DAP tools mostly when they also buy the SDM tool — the primary tool in Mentis' portfolio.
Mentis does not offer data masking for big data platforms.
Mentis offered its new subsetting tool, iSubset, in 3Q13, and future customers should be watching its quality.
Prospects should request that Mentis expand its presence beyond North America, and address the emerging demand for data masking for big data platforms.
It masks a limited number of databases — Oracle, Microsoft SQL Server, DB2 (mainframe and distributed) and Sybase.
Net 2000 was founded in 1998 and started offering its popular Data Masker product in 2004. Net 2000 focuses on SDM only, and does not offer a broader range of data security technologies. Low pricing and good technical support — combined with easy-to-learn features, availability of templates and look-up tables for typical masking use cases — make this tool a good fit for relatively simple environments that require SDM, and enable Net 2000 to challenge most vendors in that niche of the SDM market.
Data Masker is easy to install and use, and it has an intuitive GUI.
Data Masker is one of the lowest-priced tools in the market.
Net 2000 has amassed a large number of clients, comparable with market Leaders' number of clients. It reaches out into the U.S., Europe and Asia/Pacific.
Net 2000 offers strong technical support. It also offers frequent product improvements that clients can download from its website.
Data Masker is available for Oracle and SQL Server only. Data subsetting is available for Oracle only. Net 2000 has plans to add subsetting for SQL Server in 1Q14.
Net 2000 does not offer DDM and data redaction.
It does not innovate in the emerging, important areas, such as data masking for Hadoop.
It does not offer DAP technologies, which often accompany the data masking products of Leaders and some Challengers.
It lacks enterprise-class capabilities across multiple operating systems and databases.
Oracle's SDM — Oracle Data Masking Pack — is an addition to its already large and strong data security portfolio. Oracle Data Masking Pack mostly appeals to enterprise users of the Oracle technology stack — that is, database, middleware and packaged applications such as PeopleSoft and E-Business Suite.
Oracle exhibits high performance in masking data in Oracle Database.
The broad adoption of Oracle Enterprise Manager (part of which is Data Masking Pack) promotes the adoption of Data Masking Pack to the users of Enterprise Manager. Data Masking Pack is an add-on that is managed the same way as the rest of the stack.
Oracle offers DDM technology called Data Redaction (part of the Oracle Advanced Security offering), which Oracle has integrated into its DBMS.
Oracle has strong expertise in DBMS security, and other data security products are also available.
Oracle has a global reach. There is an abundance of Oracle experts among IT professionals worldwide.
Oracle RDBMS and Oracle Database Gateways must be part of the masking solution for non-Oracle Databases, thereby complicating the SDM architecture for non-Oracle Databases. To address users' needs, a restricted use license for Oracle Database Gateways is included with Oracle Data Masking Pack for non-Oracle Databases at no extra charge.
It does not offer data redaction as a tool, but instead offers a set of APIs for operating on unstructured data. Configuration/programming to these APIs requires customers to do it by themselves, to use Oracle consulting services or to use Oracle's numerous service partners' services.
Masking of big data is available only for Oracle Big Data Appliance with installed Hadoop Cloudera, and requires the use of Oracle consulting services, or the services of Oracle's numerous service partners.
Users and prospects often complain about the high price. Also, the quality of sales support skills is inconsistent across Oracle's growing prospect and client base. Some clients even complain about the quality of presales and postsales support.
Privacy Analytics brings statistical science into SDM. Its Parat tool assesses, measures and manages the risk of reidentification of masked data. Parat provides risk analysis functionality based on an enterprise's security and privacy practices, the sensitivity of the dataset, and the possibility of reidentification. Privacy Analytics' technology and methods are primarily aimed at healthcare organizations that are looking for quantifiable and defensible proof that deidentified, sensitive data will withstand the scrutiny of audits.
Risk assessment methods enable setting the appropriate level of masking. Parat offers risk metrics to measure the risk of reidentification and privacy disclosure. Parat anonymizes structured and unstructured data formats.
Using analysis of the existing regulations and protection measures, Privacy Analytics defines the threshold for deidentification breaches. It helps to ensure that the risk of exposure is lower than a user-specified threshold.
Privacy Analytics provides references to the precedents that could be used in an audit of adherence to and violation of privacy.
It supports the analysis of different types of potential attacks with respective protection scenarios. Its deidentification algorithm is adjustable to minimize distortion of the original data.
The company provides consulting in assessing the risk of reidentification, as well as help in Health Insurance Portability and Accountability Act (HIPAA) certification.
Privacy Analytics does not provide DDM or other data security technologies, such as DAP.
It does not offer TDM technologies, which often accompany other vendors' offerings.
Parat does not offer SDM or DDM for big data platforms.
Parat covers a limited number of platforms and databases (Oracle, Microsoft SQL Server and Microsoft Access, and comma-separated values [CSV] files).
It does not offer special analysis and templates for packaged systems, such as SAP, PeopleSoft and Oracle E-Business Suite.
Solix SDM technology, called Solix EDMS Data Masking, is part of the Solix Enterprise Data Management Suite (EDMS), which also includes database subsetting, archiving and application retirement. Solix needs to earn broader data security name recognition and sales outside its traditional base, which buys its platform primarily for data management, subsetting, archiving and retirement. Solix is well-suited for the needs of clients that already use it for capabilities other than SDM, and for users that need to easily and inexpensively add SDM capabilities and start conducting SDM.
Solix exhibits expertise in data management, subsetting, archiving and application retirement, which serve as opportunities to sell data masking to the existing clientele. To increase its market share, it is taking steps to market its SDM outside its existing clientele.
Solix has customers in North America, Asia and Europe.
It has expertise in masking packaged applications, such as Oracle E-Business Suite and PeopleSoft.
Solix offers a free download for a limited version of its SDM software.
It offers managed data masking services.
Solix still needs to earn a stronger SDM and overall data security reputation. A substantial number of its clients are users of its other technologies.
It does not offer DDM, which is often offered by Leaders and some other Challengers.
It does not offer data redaction technologies. It also does not offer other data security technologies, such as DAP.
It does not offer data masking for big data platforms, although it has plans to add this in 2014.
Voltage Security focuses on data protection, which includes encryption and tokenization of data in applications, databases, files, email and transactions. Voltage extends its encryption and tokenization expertise to data masking. Its Voltage SecureData Enterprise product uses Format-Preserving Encryption (FPE) and Secure Stateless Tokenization (SST) to mask sensitive data. Voltage is well-suited for users that need a tool with a data masking technique based on FPE or SST. Customers can leverage Voltage SecureData Enterprise for masking of nonproduction data, and also extend it for protection of production data with encryption and tokenization. Users should be prepared, however, to use other vendors' tools for such SDM functions as sensitive data and relationship discovery, subsetting, masking templates, and flexibility and variety of masking rules.
Voltage FPE is an innovative method of encryption that leverages the strength of existing encryption algorithms — specifically the AES-FFX cipher mode (which is on track for standardization by the U.S. National Institute of Standards and Technology [NIST]).
Voltage demonstrates the easy-to-implement enablement of database integrity across geographically distributed and large data systems. Because Voltage FPE eliminates the need for mapping tables or databases, it is well-suited for projects requiring high scalability.
Data that is masked with Voltage FPE can be reversed through centralized key management to its original state, if required, or be made irreversible using one-time, 256-bit FPE keys.
Voltage SecureData Enterprise is available for Hadoop and certified for Cloudera and Hortonworks.
Voltage enables enterprises to build data masking into existing workflows and data management frameworks using a set of APIs and processing tools that are compatible with extraction, transformation and loading (ETL) and data management solutions across Linux, Unix, Windows, IBM z/OS mainframe, HP Nonstop, Stratus, Teradata, Amazon Web Services, Microsoft Windows Azure, and Hadoop.
Voltage enables on-the-fly masking that dynamically applies access rules based on input from Active Directory, LDAP or custom identity and access management (IAM) systems.
Voltage offers just one of several critical components of SDM technology: data masking via FPE or SST. Its data masking capability is part of a wider data protection solution that utilizes other vendors' components for SDM. Those other critical components (such as discovery, subsetting and TDM capabilities) are provided by Voltage's partners — mainly Informatica, but also Syspedia.
For complex data masking cases with complex data relationships that need data and relationship discovery and analysis, Voltage requires the use of tools from its partners.
Voltage SecureData Enterprise is a platform for masking and data protection, and users need to plug it into an existing application development workflow. It does not provide TDM itself.
Voltage requires the installation of one or more virtual appliances to define data protection, masking, authentication and authorization policies, stateless key management, and reporting.
Like any encryption using AES, the reversibility of FPE-based masking using AES-FFX poses a risk that encrypted data will be disclosed if keys are compromised.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Vendors must provide SDM technology and/or DDM technology.
For SDM, aside from core data masking capabilities, eligible technologies should include features to ensure application and database integrity; discover sensitive data enterprisewide; provide rule engines for discovery and masking enterprisewide; provide templates and predefined rules; provide reporting and management capabilities; provide integration with application development/testing, data management processes and platforms, and integration with identity-based access controls; and enable data masking for heterogeneous platforms.
Vendors must be determined by Gartner to be significant players in the market because of their market presence or technology innovation.
Vendors must have at least $1.5 million in yearly revenue from data masking-related products or more than 30 clients, or they must demonstrate a futuristic, visionary approach in the data masking space.
Vendors must have products that were generally available (not beta) before 30 March 2013.
Product or Service: This criterion evaluates the vendor's data masking product. It includes current product or service capabilities, quality and feature sets. We give higher ratings for proven performance in competitive assessments and appeal to a breadth of users (such as information security specialists, quality assurance and application testing specialists, and data management specialists). We give higher ratings to vendors that offer SDM and DDM technologies. We give higher ratings to vendors that offer data redaction and masking for big data platforms. We give higher ratings to vendors that also offer security technologies (especially data security technologies) other than data masking. We give higher ratings to vendors whose data masking technologies do not depend on other vendors' technologies. We give higher ratings to vendors whose data masking technologies do not depend on their own non-data-masking-related components.
Overall Viability (Business Unit, Financial, Strategy and Organization): This is an assessment of the organization or business unit's overall financial health; the likelihood of the company's strategy to continue investments in the data masking market, and in the broader data/application security space; the data masking revenue amount; the sufficiency of funding sources and staffing; data masking expertise; the number of data masking customers, as well as the number of installed and used data masking products; and the likelihood that the vendor will be successful in its acquisition and/or partnership deals. We also evaluate a vendor's data masking market share and overall mind share, including the number of times the vendor appears on Gartner clients' shortlists.
Sales Execution/Pricing: We account for the data masking growth rate, the company's global reach, its pricing model and its product/service/support/mentoring bundling. We account for the clarity and transparency of the pricing model. We account for the reasons to expect that the vendor's strategy will result in sales volume and revenue growth. We account for sales outside the vendor's home country/region and sales to multiple vertical industries.
Market Responsiveness/Record: We look at the vendor's ability to respond, change directions, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. We evaluate the reputation of the product, the match of the vendor's data masking (and broader data/application security, compliance and also development/test and data management) offering to enterprises' functional requirements, and the vendor's track record in delivering new, innovative features when the market demands them.
Marketing Execution: We evaluate market awareness, as well as the vendor's reputation and clout among security and compliance specialists, and also among application development and testing specialists. We account for the vendor's ability to clearly state objectives that have given rise to the reputation and growth of its market share and mind share in the data masking and data/application security space.
Customer Experience: This is an evaluation of the tool's functioning in production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. It also includes relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support, as well as the vendor's willingness to work with its clients to customize the product or service, to develop specific features requested by the client, and to offer personalized customer support, mentoring and consulting. We evaluate whether clients find the price of the technology and the total cost of deployment and operation to be reasonable. We also review the vendor's capabilities in all presales activities and the structure that supports them.
Operations: This is the organization's ability to meet its goals and commitments. Factors include the quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. We also evaluate the vendor's ability to provide methodology, best practices, mentoring and consulting to its clients, and its ability to successfully run partnerships for sales and technology co-development.
Market Understanding: We evaluate the vendor's ability to understand buyers' needs and translate them into products and services. Data masking vendors that show a high degree of market understanding are offering enterprisewide sensitive data discovery for structured and unstructured data, and providing a rule engine for discovery and masking enterprisewide. They offer templates and predefined discovery and masking rules, reporting and management capabilities, integration with application development/testing, and data management processes and platforms. They enable data masking for heterogeneous enterprises, and evolve the scalability, productivity and user-friendliness of data masking tools.
Marketing Strategy: This looks at whether the vendor has a clear, differentiated set of messages that is consistently communicated throughout the organization and is externalized through the website, advertising, customer programs and positioning statements. We give a higher rating to vendors that clearly state their dedication to data masking, security and compliance markets — specifically data and application security; that clearly define their target audience; and that market appropriate packaging of their products and/or services.
Offering (Product) Strategy: We assess the vendor's approach to product development and delivery. This addresses the vendor's focus on security and compliance; its positioning of data masking as an important technology with full-fledged capabilities; its ability to create a network of partners; the optimal balance between satisfying the needs of Type A (leading-edge) enterprises and Type B (mainstream) and Type C (risk-averse) enterprises; and satisfying general/simple requirements and environments as well as sophisticated/advanced ones. We give higher ratings to vendors that address broader security markets with more than one data security technology.
Vertical/Industry Strategy: This looks at the vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments and vertical industries. We give higher ratings to vendors that target multiple vertical industries.
Innovation: We evaluate the vendor's development and delivery of a solution that is differentiated from the competition in a way that uniquely addresses critical customer requirements. We give higher ratings to vendors that develop methods that make data masking more accurate, scalable, and user- and process-friendly. We also give higher ratings to vendors offering solutions that reach into data redaction; DDM; tokenization; format-preserving encryption; data security/cloud access brokers; data security for big data platforms; synthetic data generation; statistical methods to measure, increase, and assure the accuracy and strength of masking; data virtualization; integration with IAM solutions; and data security intelligence.
Table 2. Completeness of Vision Evaluation Criteria
Leaders demonstrate balanced progress in execution and vision. Their actions raise the competitive bar for all vendors and solutions in the market, and they tend to set the pace for the industry. A Leader's strategy is focused on data security and compliance. Its offering addresses the needs of security specialists within the software life cycle (SLC) and data management processes. Leaders' brands are broadly recognized in the data security space. Leaders reach beyond SDM capabilities and encompass the broader data security discipline, including data redaction capabilities, DDM, and also masking data for big data platforms, DAP and security intelligence. At the same time, Leaders are able to amass a relatively large clientele and revenue in this evolving market. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should only buy from Leaders. Some clients may find that vendors in other quadrants better address their specific needs.
Challengers are efficient choices to address more narrowly defined problems. Challengers have solid technologies that primarily address the SDM needs of users, and can compete with Leaders in this area. However, they often lack recognition beyond the SDM space, lag behind Leaders and Visionaries in the emerging data security use cases, and lack coverage of broader data security needs, such as DDM, security for big data platforms and data redaction.
Visionaries invest in the leading-edge features that will be significant in the next generation of data security solutions, and give buyers early access to greater security assurance and advanced capabilities. Visionaries can affect the course of technological developments in the market (for example, offering DDM for relational databases, SDM and DDM of big data, data redaction, format-preserving encryption and tokenization, statistical assurance for data masking, security intelligence repositories for the analysis of security and contextual information, and synthetic data generation), but they currently lack the Ability to Execute against their visions compared with the market Leaders. Enterprises typically choose Visionaries for their best-of-breed, evolving features. Other vendors watch Visionaries as indicators of innovation and thought leadership, attempting to copy or acquire their technologies.
Niche Players offer viable, dependable solutions that meet the needs of specific buyers. Niche Players are less likely to appear on shortlists, but they fare well when considered for business and technical cases that match their focus. Niche Players may address subsets of the overall market, and often can do so efficiently and effectively. Enterprises tend to choose Niche Players when the focus is on a few important functions or on specific vendor expertise, or when they have an established relationship with the vendors.
Unlike most security technologies, which aim to protect enterprises' assets from outsiders (for example, hackers), data masking technologies also aim to prevent abuse of sensitive data from enterprises' own employees, insiders — very often from their own IT personnel. Recently, increased evidence that insiders pose at least as serious a threat to enterprises as hackers made enterprises recognize the value of data masking technologies in preventing security and privacy breaches, and in meeting regulatory and other compliance requirements for data protection.
The data masking market is evolving toward consolidation of technologies, and offers a variety of solutions from vendors' platforms that include SDM and DDM, data redaction, DAP, and even tokenization, format-preserving encryption, and masking for big data platforms.
Due to data masking's ability to address security threats from insiders and outsiders, and to meet compliance requirements, we expect a relatively high speed of technology maturity (see "Hype Cycle for Application Security, 2013").
The data masking market demonstrates a collection of vendors of different backgrounds and sizes — from small startups founded with the sole purpose of creating and selling data masking tools, to large megavendors adding data masking (often through vendor acquisitions) to complement their broader security technology portfolios. Vendors with backgrounds in application development, application security, data security, data management and data archiving — as well as IT service providers — came to this market because they were attracted by the potential profits driven by regulations and security concerns about sensitive data exposures. Therefore, it is quite typical when vendors offer data masking that is complemented with some other technologies. We estimated the overall SDM revenue of vendors dedicated to SDM to be approximately $130 million in 2012, and we expect that this will rise to $190 million in 2013.
Currently, dedicated data masking vendors face competition on two fronts:
From enterprises' own homegrown data masking solutions
From homegrown data masking solutions offered by ESPs as part of their application development and/or data management services
We expect that, through 2017, both types of homegrown solutions will be pushed into a niche market. Neither group will be able to compete with dedicated data masking vendors in ever-changing requirements, regulations and platforms. This process has already started, as we witness some ESPs — which have their own homegrown solutions — arranging partnerships with dedicated data masking vendors to use their tools in ESPs' service practices.
Data masking is an evolving market. We have been observing the following key market trends driving the market evolution:
The data masking market is splitting into three segments: (1) SDM to protect data at rest (especially test data for application development); (2) DDM to protect production data used mainly for operational purposes; and (3) data redaction, which masks unstructured content such as PDF, Word and Excel files. SDM technology is the most mature of these technologies.
New use cases in data masking implementation have emerged and are evolving rapidly: DDM and SDM for big data platforms, and the use of data masking in cloud access security brokers to address data security in the cloud platform.
Innovative vendors are moving toward consolidated data security platforms that offer more than one data masking technology (for example, SDM and DDM), and even offer more than one data security technology. Such platforms aim to protect production and nonproduction data, data at rest and data in transit; they also aim to fulfill protection statically and in real time.
Enterprises' risk management, compliance and auditing departments — not their IT organizations — are the main drivers of data masking adoption.
A growing number of enterprises are taking a strategic approach to adopting data masking.
We recommend that enterprises take the following actions:
Engage key enterprise stakeholders — especially in risk management, privacy, compliance and auditing roles — in the adoption and implementation of data masking processes. Data masking technologies must, of course, be implemented by the IT organization, but their adoption is and will continue to be driven by enterprises' risk management, compliance and auditing organizations. That is because these organizations and functions recognize (and are responsible for) the consequences of sensitive data exposure. The adoption of data masking is also being driven by regulatory requirements and mandates, such as PCI Data Security Standard (DSS) and HIPAA. Application development outsourcing is another main factor that is accelerating data masking adoption, because data masking can ensure that enterprises' sensitive data will not be exposed to ESPs' developers.
Make data masking technologies and best practices an integral part of the enterprise's SLC and data management processes. Data masking is not just another sort of data manipulation. It is becoming an essential part of the SLC and data management. Data masking should start at the analysis and design phases, where sensitive data is defined and business rules are set up, and continue into the programming and testing phases, where data gets masked for unit and system testing. The data masking scope is broadening into production data masking with DDM and with the redaction of unstructured content.
Additional research contribution and review: Ramon Krikken