IBM SoftwareInformation ManagementSolution BriefIBM InfoSphere OptimData Masking solutionMask data on demand to protect privacy acrossthe enterpriseHighlights: Safeguard personally identifiableinformation, trade secrets, financials andother sensitive data Easily mask data on demand usingpredefined transformations andsite-specific routines Respond in real time to suspiciousrequests for data Ensure a valid business need to know forsensitive data Discover hidden instances of private dataso they can be fully protected Support compliance with privacyregulations and corporate governancestandardsToday’s organizations realize that data is a critical enterprise asset, soprotecting that data and the applications that hold it makes goodbusiness sense. However, different types of information have differentprotection and privacy requirements. Therefore, organizations musttake a holistic approach to protecting and securing their businesscritical information: Understand where data exists: Organizations can’t protect sensitivedata unless they know where it resides and how it’s related acrossthe enterprise.Safeguard sensitive data, both structured and unstructured:Structured data contained in databases must be protected fromunauthorized access using data transformation techniques such asmasking or encryption. Unstructured data in documents, forms, imagefiles, GPS systems and more requires privacy policies to de-identify ormask sensitive data while still allowing needed business information tobe shared.Protect nonproduction environments: Data in nonproduction,development, training and quality assurance environments needs to bede-identified or masked, yet still usable during the applicationdevelopment, testing and training processes.Secure and continuously monitor access to the data: Enterprisedatabases, data warehouses, file shares and Apache Hadoop-basedsystems require real-time monitoring and policies to ensure data accessis protected and audited. Policy-based controls (like masking orconnection termination) based on access patterns are required to rapidlydetect unauthorized or suspicious activity and alert key personnel. Inaddition, data sources need to be protected against new threats or othermalicious activity and continually monitored for weaknesses.Demonstrate compliance to pass audits: It’s not enough to developa holistic approach to data security and privacy. Organizations mustalso demonstrate and prove compliance to third-party auditors.

IBM SoftwareInformation ManagementSolution BriefThe IBM InfoSphere Optim Data Masking solutionprovides comprehensive capabilities to mask sensitive dataeffectively across applications, reports and databases inproduction and nonproduction environments. TheInfoSphere Optim Data Masking solution de-identifies dataanywhere a contextually accurate, yet fictionalized value isappropriate. For example, mask data in flight to fend off ahacker, mask data onscreen in a call center to ensure onlythose with a valid business need see sensitive client data,mask data in development, Q/A or testing environments,or mask data in extract, transform, load (ETL) or datamovement solutions. When you use InfoSphere Optim tomask confidential data, you protect privacy and safeguardshareholder value.By employing a data protection strategy across all areas and alltypes of data, organizations can ensure enterprise data is keptsecure and protected.Data privacy across the enterpriseNews headlines about the increasing frequency of stoleninformation and identity theft have focused awarenesson data privacy breaches and their consequences.Protecting data privacy is no longer optional—it’s the law.Organizations must have procedures in place to protectprivacy in databases, applications and reports in bothproduction and nonproduction systems to comply with dataprivacy regulations and avoid risk. As data-breach headlinescontinue to mount, it is clear that data is the most vulnerableenterprise asset.The InfoSphere Optim Data Masking solution bringsflexibility, scalability and adaptability to data masking byhelping organizations:Organizations need to adopt a policy-driven, on-demandmasking approach to proactively protect data privacy andsupport compliance, especially in a computing era where datais everywhere and growing in volume, variety and velocity. Data masking offers abest-practice approach Data masking is the process of systematically transformingconfidential data elements such as trade secrets and personallyidentifying information (PII) into realistic but fictionalizedvalues. Masking enables receipts of the data to use“production-like” information while ensuring compliancewith privacy protection rules. Data masking represents a simple concept, but it is technicallychallenging to execute. Most organizations operate withincomplex, heterogeneous IT environments consisting ofmultiple, interrelated applications, databases and platforms.Organizations do not always know where confidential data isstored or how it is related across disparate systems. The idealsolution must both discover sensitive data across related datasources and mask it effectively.Understand where sensitive data existsLeverage masking services to mask data on demand,anywhere at any timeMask data in databases, warehouses and big dataenvironmentsMask data in both production and nonproductionenvironmentsMask data on demand in applications or business reports tosupport real-time decision makingMask data on demand in the cloudMask data in data movement tools such as ETL or dataunload utilitiesProven data masking techniquesWith the InfoSphere Optim Data Masking solution, userscan apply a variety of proven data transformation techniquesto replace sensitive real data with contextually accurate andrealistic fictitious data. Users can mask data in a singledatabase, across multiple related systems or in applicationsand reports. Simple examples of the masking techniques inInfoSphere Optim include substrings, arithmetic expressions,random or sequential number generation, date aging andconcatenation. Plus, the solution’s context-aware maskingcapabilities help ensure that masked data retains the look andfeel of the original information.2

IBM SoftwareInformation ManagementSolution BriefDiscovery of sensitive dataThose capabilities make it easy to de-identify many types ofsensitive information, such as birth dates, bank accountnumbers, street address and postal code combinations, andnational identifiers (such as Canada’s Social Insurance numbersor Italy’s Codice Fiscale).Some sensitive data is easy to find. For instance, credit cardnumbers in a column named “credit card num” are notdifficult to recognize. Most application databases, though, aremore complex. Sensitive data is sometimes compounded withother data elements or buried in text or comment fields.Subject-matter experts can sometimes offer insight, but only ifthey fully understand the system.The IBM InfoSphere Optim Transformation Library routinesare open and modular services enabling accurate masking ofcomplex data elements, such as credit card numbers and emailaddresses on demand. You can also incorporate site-specific datatransformation routines that integrate processing logic frommultiple related applications and databases. InfoSphere Optimoffers the flexibility to support even the most complex datamasking requirements.Figure 2 illustrates an example. Table A contains telephonenumbers in the “Phone” column. In Table B, however, thetelephone number is obscured within a compound field in the“Transaction Number” column. Both instances representconfidential information that must be protected. But while dataanalysts can clearly recognize the telephone number in Table A,they may well overlook it in Table B. And every missedoccurrence of private information represents a risk to theorganization. What is the alternative?The InfoSphere Optim Data Masking solution providesmasking services to allow users to mask data on demand tomeet business and compliance requirements (see Figure 1).Real-time capabilities to de-identify sensitive data across theenterprise will provide more flexible privacy protection inapplications, databases, reports and more. The goal is todeliver integration and scalability as organizations embrace anew era of computing.Table ADatePhoneTime10-28-2008555 908 121213:52:49Table BTransaction Number1352555908121210282008Patient No.: 123456SSN: 333-22-4444Name: Erica SchaferAddress: 12 Murray CourtCity: AustinState: TXZip: 78704ApplicationsFigure 2: Confidential information hidden in compound fields poses aReportsprivacy risk to the organization.Patient No.: 123456SSN: 333-22-4444Name: Erica SchaferAddress: 12 Murray CourtCity: AustinState: TXZip: 78704Mask on demandApplications Ensure valid business need to know to sensitive data Mask data in real time to respond to suspicious activities Promote role-based approach to data accessFigure 1: Mask data on demand.3

IBM SoftwareInformation ManagementSolution BriefFinding and masking data is part of the solution, but there is anadded complication. You need the capability to propagatemasked data elements to all related tables in the database andacross databases to maintain referential integrity. For example,if a masked data element, such as a telephone number, is aprimary or foreign key in a database table relationship, thenthis newly masked data value must be propagated to all relatedtables in the database or across data sources. If the data is aportion of another row’s data, that row must be updated withthe same data as well.Original dataDe-identified dataCustomers tableCustomers tableCust IDNameStreetCust IDNameStreet0805419101Alice BennettCarl Davis2 Park Blvd258 Main1000010001Auguste RenoirClaude Monet23 Mars24 VenusElliot Flynn96 Avenue10002Pablo Picasso25 Saturn27645Orders tableOrders tableCust IDItem #Order dateCust ID276452764580-238220 June 200680-238210 October 20061000210002Item #80-238280-2382Order date20 June 200610 October 2006Figure 3: Data masking protects the confidentiality of private informationTo minimize risk, data should be masked as close to its sourcesystem as possible. In some scenarios, data for tests is copieddirectly from a live system. In this case, data must be masked“in place” to ensure that the newly created test database isprotected for use. In other scenarios, specific subsets of dataare extracted using test data management products like theIBM InfoSphere Optim Test Data Management solution. InFigure 3, data is masked during the extract process to ensurethat private information is never exposed.and propagates it accurately throughout the system.InfoSphere Discovery not only discovers hidden sensitive data, italso provides a full range of data analysis capabilities to discoverhidden relationships and bring them clearly into view. Byleveraging the combination of InfoSphere Discovery and theInfoSphere Optim Data Masking solution, all relationships willbe uncovered and replacement values will be maskedconsistently and accurately across multiple data sources.Ensuring data integritySupport for compliance initiativesIBM InfoSphere Discovery enables organizations to identify allinstances of confidential data—whether clearly visible orobscured—throughout the environment. InfoSphere Discoveryworks by examining data values across multiple sources todetermine the complex rules and transformations that mayhide sensitive content. It can locate confidential data items thatare contained within larger fields, as described in the priorexample, or that are separated across multiple columns.InfoSphere Discovery delivers automated capabilities that offergreater accuracy and reliability than manual analysis. Whenused together, the InfoSphere Optim Data Masking solutionand InfoSphere Discovery provide the most effective,enterprise-scale solution for locating and masking sensitivedata across complex, heterogeneous environments.To support industry, government and internal complianceinitiatives, data masking is a must. The European Union hasestablished the Personal Data Protection Directive as theframework for privacy protection governing its membercountries. And many other countries have similar regulationsaround the world. The US Department of Health and HumanServices has enacted the Health Insurance Portability andAccountability Act of 1996 (HIPAA), which addresses theprivacy of individually identifiable health information.Additionally, industry coalitions are developing sector-specificgovernance standards such as the Payment Card Industry DataSecurity Standard (PCI DSS), initiated by Visa andMasterCard. Implementing InfoSphere Optim helps youcomply with these data privacy regulations by protecting theconfidentiality of sensitive information across your enterprise.4

IBM SoftwareInformation ManagementSolution BriefInfoSphere Optim provides a scalable data masking solutionwith flexible capabilities that can be easily adapted to yourcurrent and future requirements. You also benefit fromknowing that InfoSphere Optim supports all leading enterprisedatabases and operating systems, including IBM DB2 ,Oracle, Sybase, Microsoft SQL Server, IBM Informix ,IBM IMS , IBM Virtual Storage Access Method (VSAM),Teradata, IBM Netezza , Adabas, Microsoft Windows,UNIX, Linux and IBM z/OS . In addition to providing datamanagement support for all custom and packaged applications,InfoSphere Optim has the meta-model knowledge to supportthe key enterprise resource planning (ERP) and customerrelationship management (CRM) applications in use today:SAP, Oracle E-Business Suite, PeopleSoft Enterprise, JDEdwards EnterpriseOne, Siebel and Amdocs CRM.warehousing, master data management and informationgovernance, all integrated around a core of shared metadataand models. The portfolio is modular, allowing you to startanywhere, and mix and match InfoSphere software buildingblocks with components from other vendors, or choose todeploy multiple building blocks together for in