Data Masking Software

Data Masking Challenges

How does the OpenSpan data masking technology work?

OpenSpan features a highly advanced, codeless injection technique that leverages the interaction between software applications and the underlying Windows operating system. This provides you full control over any application accessible to a business user, regardless of the underlying technology that the application is built in, or whether the application is web, SaaS, on-premise, virtualized or Citrix hosted. OpenSpan employs a sophisticated "matching" technology that enables any field or application object to be identified irrespective of screen location, changes to the screens, or existence of dynamic content.

OpenSpan data masking techniques

OpenSpan can employ many techniques to dynamically limit, control access or mask data based on contextual business rules or by user/role, such as the ability to:

• Show or hide fields, make fields read-only or disable input
• Disable or hide menu options, links or buttons, preventing access to complete screens or preventing the ability to save or submit data changes unless certain conditions are met
• Change field properties (i.e. change to a password type) so that characters are replaced with a masking character
• Mask portions of screens by coordinate or positional location and size
• Hide specific screens or entire applications (and optionally remove them completely from the desktop) and replace with a new composite UI that shows only the desired data
• Intercept data input and substitute with tokens (via integration with 3rd-party tokenization solutions)
• Log attempts or generate alerts when sensitive data is attempted to be accessed or updated

How does OpenSpan data masking tool differ from other data masking solutions?

Network Monitors: Some masking solutions monitor network traffic and can dynamically modify 3270 and HTML content before it's delivered to the client desktop. These solutions have several drawbacks:

• Requires expensive server-side hardware
• Very difficult to configure and you must "reverse engineer" the protocol content to figure out what to mask
• The application may break if the data is returned to it in a masked form. Re-substitution of valid data into the data channel is problematic and complex to configure
• Scalability: require all network traffic to be funneled through a single point of failure
• Only works with 3270 and simple HTML apps. Does not work with client-server or apps that use proprietary or encrypted data communications
• OpenSpan advantage: OpenSpan can see and control all applications regardless of the underlying technology or the data communications channel being employed. OpenSpan scales infinitely, does not require network configuration changes and does not require expensive server-side hardware, but rather only a small runtime to be deployed on each client. OpenSpan solutions are built visually by dragging and dropping over the screens and fields to be masked.

Positional Masking: Some masking solutions can cover fields and portions of screens with a graphic overlay. As discussed previously, this technique has several disadvantages:

• Cannot handle dynamic screens and apps (i.e. web) that support re-sizing and scrolling
• If a user can tab or click to the correct location (blindly), they can still possibly change the data or copy and paste it
• OpenSpan advantage: OpenSpan supports positional masking as only one of several techniques. OpenSpan overcomes the "blind" access weakness by disabling access to the underlying fields so that copy/paste and data entry are not allowed. Or, with OpenSpan, you can simply use a different technique if positional masking is ineffective.

Composite Application Replacement: Some masking solutions require you to create an entire new application UI to replace the prior UI. These solutions have several limitations and disadvantages:

• Some require, again, expensive new server-side hardware, with scalability and single point of failure concerns
• Require re-training of users
• Require complete replacement of the old application and re-configuration of the desktop
• OpenSpan advantage: Again, with OpenSpan, you can create a composite replacement for the original application as one of the supported techniques. However, the OpenSpan composite does not have to replace the entire application. With OpenSpan, you can use a composite to replace only the screens or portions of screens that contain the sensitive data, minimizing re-training effort associated with the new composite. OpenSpan also does not require any server-side components as the composite can run on the desktop along-side the original application. OpenSpan will hide the original application or screens and show the composite replacement only at the appropriate points in the workflow where required.

Summary: OpenSpan provides many advantages over other data masking solutions.

• Most comprehensive set of masking techniques to cover virtually any scenario or application technology
• Least invasive technology and easiest to deploy and maintain
• Single IDE used for implementation of all masking techniques
• Can also be used to monitor desktop activity for compliance audit and logging
• Can also be used to automate manual tasks, including automation of transactions that require access to sensitive data even though the data has been masked by OpenSpan