Data Masking Tool from Camouflage Now Supports DB2/400

December 15, 2009 Alex Woodie

System i shops that are concerned about the security of their sensitive data when it’s in the hands of outside developers should take a look at a data masking tool that recently became available from Camouflage Software. With the version 3.6 release of Camouflage Enterprise, the Canadian company is now able to obscure data stored in DB2/400, giving System i shops another weapon in their battle to protect personally identifiable customer data, and avoid the wrath of regulators.

If IBM‘s recent acquisition of Guardium is any indication, database security is a big concern for Fortune 500 companies. While companies may have overlapping levels of security protection in place at the application and network levels, they have been leaving their critical data vulnerable to credentialed insiders who are already inside the firewall. That’s a big problem.

Poised to be one of the hottest subsets of database security in 2010 is data masking. Data masking refers to the process of making data illegible to humans, but legible enough that it doesn’t impact activities like application development and quality assurance (QA) testing, which require a certain quality of data.

IBM made a big move into data masking two years ago with its acquisition of Princeton Softech, which developed the Optim line of data archiving, data test management, and data masking software. Today the Optim software is a key component of IBM’s data management suite; however, the fact that Optim supports nearly all platforms except DB2/400 leaves a big hole that IBM’s competitors are glad to fill.

There are several i OS data masking solutions available today from i OS security software vendors. However, for larger System i shops that run a variety of servers and databases, it makes sense to buy a single data masking solution that can cover all platforms.

Camouflage Software offers such a tool. And while its data masking competitor dataguise may have been the first to announce its intention to provide data masking for DB2/400 , it appears that Camouflage Software beat dataguise to market with an actual product. In any event, expect more players to enter this space.

Advantages Over Encryption

There are a few things you should keep in mind if you are wondering whether to encrypt your database or mask it, says Ashar Baig, vice president of product development and marketing for Camouflage Software, which is based in St. John’s, Newfoundland, but which maintains a regional office in Toronto, Ontario.

“It’s different than encryption because whatever you encrypt can be decrypted. Data masking, on the other hand, is a one-way process,” Baig says. “Secondly, encrypted data looks like 0s and 1s, which you can’t make any sense of. Conversely, masked data looks very similar to what normal data would look like. The only difference is, you can’t use it.”

Masked data looks so normal that it’s nearly impossible for somebody to tell whether data has been masked, if it’s been done correctly. That’s because that data maintains its correct form: dates of births still contain eight numbers, Social Security numbers nine, and Visa and MasterCard numbers 16. (American Express uses 15 digits.) Camouflage Enterprise ensures that masked data does not deviate from certain ranges.

There are various ways data can be masked, Baig says. “But the most important thing is the masked data looks real, so you can give it to your developers, your partners, and your customers. They want to see what your data looks like before they develop any applications for you, but they can’t make out any data. You can securely give that information to them, because they can’t use it.”

Camouflage recently added support for System i servers and z/OS mainframes at the request of several customers, including a large bank in Greece, a federal agency, and a regional Blue Cross/Blue Shield organization. “Our Software is pretty much agnostic of platform, operating systems, and chipsets. But especially when it comes to DB2 on the mainframe and iSeries, there are certain system calls, certain data relationships, that you have to understand and test accordingly, before you claim support for it,” Baig says.

Lots of Planning Required

Camouflage Software is doing brisk business with its software, Baig says. Customers are often discouraged by IBM and others who say their large-scale data masking projects will take years to implement and cost into seven figures, which scares them, he says. “These larger companies bring in an end-to-end solution, even though the customer is saying ‘I just need masking, not all the bells and whistles.'” But they tell the customer they need it, and that it will take a long, long time.”

It is true that data masking requires a lot of careful planning, but it can be accomplished in weeks or months, not years, according to Baig. The first step is finding out where sensitive data resides, and who needs access to it. Then customers must add additional columns to the database to house the masked data, and applications must be modified to look for the masked data instead of the real production data. (“We never touch production data,” Baig says. “That’s a no-no.”)

The big obstacle to data masking is the need to periodically update the masked data. Because data is continually changing, the masked copy gets out of date. IBM has addressed this with the first so-called on-the-fly edition of its Optim data masking technology. Camouflage is also developing on-the-fly masking technology, which should be available sometime in 2010.

Before then, version 4.0 will ship, which will include a new data discovery module, as well as pre-defined templates that will streamline the process of achieving compliance with regulations like PCI and HIPAA, Baig says.

Camouflage sells two versions of its software, an Enterprise version and an SMB version, as well as a handful of add-on modules that includes the translation matrix, the subsetting engine, the de-masking engine, and database-specific masking templates for PeopleSoft Enterprise and Oracle E-Business Suite.

The Enterprise version, which starts at $60,000, includes all of the add-on modules, whereas the SMB version, which starts at $15,000, includes just the data masking engine. SMB customers can purchase add-on modules for $10,000 each. There is also a quick-start package that costs $10,000 and includes implementation services, training, and education. For more information, visit the company’s Web site at www.datamasking.com.