G12.2012 magic quadrant for data masking technology

Magic Quadrant for Data Masking
Technology
20 December 2012 ID:G00229118
Analyst(s): Joseph Feiman, Carsten Casper
VIEW SUMMARY
Data masking should be mandatory for enterprises using copies of sensitive production data for
application development, analytics or training. The market is expanding into production and
unstructured data protection. It is populated with specialized and diversified vendors, and is in growing
demand.
Market Definition/Description
Sensitive data (such as credit card numbers), personally identifiable information (such as Social
Security numbers), medical diagnoses and even nonpersonal sensitive data (such as corporate financial
information and intellectual property) are exposed to abuse or negligence from enterprise employees
and outsiders.
Data masking aims to prevent the abuse of sensitive data by hiding it from users. Technology vendors
offer multiple data masking techniques, such as replacing some fields with similar-looking characters,
replacing characters with masking characters (for example, "x"), replacing real last names with fictional
last names and reshuffling data in the database columns. Data masking is also known as data
obfuscation, data privacy, data sanitization, data scrambling, data deidentification, data anonymization
and data deauthentication.
Adopting data masking helps enterprises raise the level of security and privacy assurance against
abuses. At the same time, data masking helps enterprises meet compliance requirements with the
security and privacy standards recommended by regulating/auditing authorities.
Potential abusers, whom data masking aims to deter, are often enterprise employees or employees of
outsourcing firms, such as users of test databases (programmers, testers and database administrators)
or users of analytical and training databases (analysts, researchers and trainees).
Data masking technologies should satisfy a simple, yet strict, rule: Masked data should be realistic and
quasi-real — that is, it should satisfy the same business rules as real data. This is to ensure that the
application running against masked data performs as if the masked data is real. Data masking must not
limit a user's ability to adequately use applications. Static data masking (SDM) is a technology to deter
the misuse of data by users of nonproduction (mostly test, but also training and analytics) databases
(typically programmers and testers) by masking data in advance of using it.
The data masking portfolio has been broadening. In addition to SDM technology, which masks
nonproduction databases not in real time, the market is beginning to offer dynamic data masking
(DDM), which masks production data in real time; and data redaction, which masks unstructured
content, such as PDF, Word, and Excel files. Although still evolving, SDM is the most mature of these
technologies, while DDM and data redaction are in earlier phases of evolution.
Because SDM is more mature and more demanded by the clients, we are focusing our evaluations on
SDM, rather than DDM or data redaction. However, because the market is heading toward a
consolidation of the capabilities, we evaluate vendors' DDM and data redaction capabilities as well, but
with a lower emphasis or priority.
Return to Top
Magic Quadrant
Figure 1. Magic Quadrant for Data Masking Technology
EVIDENCE
Gartner used these inputs for developing this Magic
Quadrant:
Analysis of approximately 450 inquiries that Gartner
received during the past three years
Vendors' responses to Gartner's detailed Magic
Quadrant survey
Interviews with clients that each vendor introduced
as typical or best adopters of their SDM
technologies
Product demonstrations
Product briefings
EVALUATION CRITERIA DEFINITIONS
Ability to Execute
Product/Service: Core goods and services offered by
the vendor that compete in/serve the defined market.
This includes current product/service capabilities, quality,
feature sets, skills and so on, whether offered natively
or through OEM agreements/partnerships, as defined in
the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy,
Organization): An assessment of the overall
organization's financial health, the financial and practical
success of the business unit, and the likelihood that the
individual business unit will continue investing in the
product, will continue offering the product and will
advance the state of the art within the organization's
portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all
presales activities and the structure that supports them.
This includes deal management, pricing and negotiation,
presales support, and the overall effectiveness of the
sales channel.
Market Responsiveness and Track Record: Ability to
respond, change direction, be flexible and achieve
competitive success as opportunities develop,
competitors act, customer needs evolve and market
dynamics change. This criterion also considers the
vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity
and efficacy of programs designed to deliver the
organization's message to influence the market,
promote the brand and business, increase awareness of
the products, and establish a positive identification with
the product/brand and organization in the minds of
buyers. This mind share can be driven by a combination
of publicity, promotional initiatives, thought leadership,
word-of-mouth and sales activities.
Customer Experience: Relationships, products and
services/programs that enable clients to be successful
with the products evaluated. Specifically, this includes
the ways customers receive technical support or
account support. This can also include ancillary tools,
customer support programs (and the quality thereof),
availability of user groups, SLAs and so on.
Operations: The ability of the organization to meet its
goals and commitments. Factors include the quality of
the organizational structure, including skills, experiences,
programs, systems and other vehicles that enable the
organization to operate effectively and efficiently on an
ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to
understand buyers' wants and needs, and to translate
those into products and services. Vendors that show
the highest degree of vision listen to and understand
buyers' wants and needs, and can shape or enhance
those with their added vision.
Marketing Strategy: A clear, differentiated set of
messages consistently communicated throughout the
organization and externalized through the website,
advertising, customer programs and positioning
statements.
Sales Strategy: The strategy for selling products that
uses the appropriate network of direct and indirect
sales, marketing, service, and communication affiliates
Magic Quadrant for Data Masking Technology http://www.gartner.com/technology/reprints.do?id=1-1DC8KNJ&ct=1...
1 de 11 06/02/2013 11:31 a.m.

Source: Gartner (December 2012)
Return to Top
Vendor Strengths and Cautions
Axis Technology
Axis Technology was founded in 2000 as a consultancy. In 2006, it created a separate division to
develop and market its SDM technology DMsuite.
Axis is for users that need to mask data on various platforms through user-friendly graphical user
interfaces (GUIs). Axis offers its technology at a reasonable price, and provides strong technical support
and professional services to meet clients' specific needs.
Strengths
DMsuite is a Web-based application, which enables multiple distributed user access to its features.
Axis has recently started offering cloud-style SDM as a service.
It offers a user-friendly visual interface, as well as easy-to-learn and easy-to-configure
technology, at a reasonable price.
Axis masks Hadoop data.
Its consultants are available and willing to help implement and customize Axis' SDM to client
needs.
Cautions
Axis lacks clout in the SDM space and in the data security space overall, resulting in small market
and mind share penetration.
Its sales are mostly limited to the U.S.
Axis does not have the data management technologies that often accompany the SDM offerings of
Leaders and some Challengers and Visionaries.
Axis does not have the data security products, such as DDM, database activity monitoring (DAM),
and database audit and protection (DAP), that often accompany SDM offerings by Leaders and
some Challengers and Visionaries.
It offers limited subsetting, limited assurances that the subset is representative and limited
reporting capabilities. (A new release of DMsuite was made available in mid-October 2012, which
aims to improve some of these features.) Axis lacks synthetic data generation and SAP templates.
Return to Top
Camouflage Software
Camouflage Software has demonstrated its vision and dedication to SDM by becoming one of the earlier
SDM vendors (with its first product released in 2004), by marketing its SDM technology on the website
www.datamasking.com, and by pioneering a number of features that have become "must have" for
SDM. This all earned it mind share among clients of the emerging market, and gave it experience and
market understanding. Camouflage markets its SDM technology under the name of Data Masking
Lifecycle Management.
Camouflage attracts clients with mature (considering the still emerging market) technology and a quite
complete set of components and features. It appeals to clients that are looking for a vendor's
willingness to help with product customization and adjustment to enterprise's needs — those looking for
reasonable pricing, affordable to big and smaller enterprises.
Strengths
Camouflage has strong name recognition, and it stands by what it advertises and promises.
It has a strong product and support reputation.
Camouflage offers reasonable pricing.
Its tool is user-friendly and easy to learn, and it is flexible to install, configure and customize.
Its DDM is a work in progress, and it is expanding data redaction beyond Excel files.
that extend the scope and depth of market reach, skills,
expertise, technologies, services and the customer
base.
Offering (Product) Strategy: The vendor's approach
to product development and delivery that emphasizes
differentiation, functionality, methodology and feature
sets as they map to current and future requirements.
Business Model: The soundness and logic of the
vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to
direct resources, skills and offerings to meet the specific
needs of individual market segments, including vertical
markets.
Innovation: Direct, related, complementary and
synergistic layouts of resources, expertise or capital for
investment, consolidation, defensive or pre-emptive
purposes.
Geographic Strategy: The vendor's strategy to direct
resources, skills and offerings to meet the specific needs
of geographies outside the "home" or native geography,
either directly or through partners, channels and
subsidiaries, as appropriate for that geography and
market.
2 de 11 06/02/2013 11:31 a.m.

Cautions
Camouflage markets its technology mostly in North America.
It has a small network of partners that offer its technology and respective services.
Camouflage does not yet have a broader portfolio of data security products, such as DDM
(although it is working on it) and DAM/DAP, which often accompany SDM offerings by some
Leaders and Visionaries.
Its current offering of prebuilt templates for PeopleSoft and SAP is narrower than clients often
request.
Camouflage does not have the data management technologies that often accompany Leaders'
offerings.
Return to Top
Compuware
Compuware offers a variety of technologies in areas such as application performance monitoring,
horizontal portals, business portfolio management and mainframe solutions.
Compuware's SDM Test Data Privacy technology is positioned as part of Compuware's mainframe
solution division, addressing distributed and mainframe platforms since its launch. Compuware's SDM
product makes a strong case for its use in large, enterprisewide projects on a mainframe platform or in
a mixed mainframe and distributed platform, with a focus on mainframe.
Strengths
Compuware exhibits expertise in SDM deployments in large-scale projects, especially with
mainframe platforms.
Compuware offers mainframe test data management (TDM) solutions and its line of File-AID
file/data management products.
It has a well-defined, extensive, best-practice-based methodology and maturity model for SDM
implementations.
Experts are available to assist clients in SDM implementations, including long-term engagements.
Its geographical reach is beyond North America.
Cautions
It lacks a focus and reputation in the security space.
Compared to Leaders, Compuware lacks data security technologies, such as DDM, DAM/DAP and
more comprehensive data redaction.
Its lack of clarity in positioning its SDM technology — its place within Compuware's organizational
structure, partnerships and marketing — weakens its recognition and adoption.
Compared to Leaders, its SDM reputation lacks balance between mainframe and distributed
platforms. Typically, enterprises that prefer Compuware's SDM are heavy mainframe users, while
users of mainly distributed platforms typically look at other SDM vendors.
Discovery — technology that is critical to SDM — is augmented and extended by Compuware's
partner Dataguise, which is an SDM vendor and has a nonexclusive partnership with Compuware.
Return to Top
Dataguise
Dataguise has been founded as an SDM vendor. Recently, it has developed data discovery and security
alert capability for Hadoop, which has been certified by Hadoop distribution vendor Cloudera. Dataguise
markets its SDM product under the name of DgSecure. Dataguise is suitable for organizations that are
looking for an easy-to-learn, user-friendly product with a flexible masking rule engine, with good
performance characteristics and at reasonable price.
Strengths
It has strong discovery technology, which Dataguise's partner, Compuware, uses in its own SDM
offering.
Dataguise's technology is easy to learn, and its Web-based architecture supports multiple user
locations.
It provides good customer service and mentoring.
It offers good reporting, which uses security and some contextual information collected in the
DgSecure repository.
Dataguise explores using virtualization instead of subsetting.
Cautions
Through 2013, customers and prospects should watch how Dataguise solidifies its market
presence through the implementation of its plans for revenue and market share growth.
Dataguise's market is mostly limited to the U.S. It plans to launch its chain of international
partners in 2013. Dataguise focuses on finance, government and healthcare verticals.
It lacks TDM technologies and is missing SDM integration with data modeling tools.
Dataguise lacks some of the data security technologies, such as DDM, DAP/DAP and data
redaction, that often accompany SDM.
It masks a limited number of databases: Oracle, Microsoft SQL Server, DB2 (distributed and
mainframe) and Postgres.
Return to Top
Grid-Tools
Grid-Tools was founded in 2004 to deliver test data discovery, design, creation, refreshment,
comparison, management and data masking, which it combines in its Datamaker suite. Datamaker is
3 de 11 06/02/2013 11:31 a.m.

optimized for SDM use by application testers, and it fits well into an agile development paradigm. The
company offers an advanced scalable technology aimed at complex and large environments —
multiplicity of various interconnected databases on mainframe and distributed platforms.
Strengths
Grid-Tools demonstrates innovation in using synthetic data generation for masking purposes,
which provides higher assurance that the data selected for masking is accurately representing
source data.
It offers advanced techniques for assuring application integrity and the quality of the test data (for
example, dynamically building SDM templates while doing discovery for higher accuracy of
representing the most current state of the data).
It demonstrates higher performance in large and complex development/test environments.
Grid-Tools' pricing model is clear and understandable by developers and testers.
The U.K.-based company is working on creating a network of partners to reach into other
geographies (particularly the U.S.).
Cautions
It lacks other data security technologies used for protection of production data (for example,
DAM/DAP or DDM), compared to some Leaders and other Visionaries.
It lacks prebuilt compliance reporting, so it requires customization from enterprises.
Grid-Tools needs to enhance user friendliness for less sophisticated users. Its command-line
interface is powerful, yet not as user-friendly as a GUI.
Its current marketing messaging seeks mostly developers and testers, and misses security
professionals.
Return to Top
IBM
IBM entered the SDM market in 2007 by acquiring Princeton Softech with its Optim data masking,
archiving, subsetting and data management technologies. After IBM's 2009 acquisition of DAM/DAP
vendor Guardium, development, marketing and sales resources of the two were combined, accelerating
the development of DDM. IBM's acquisition of Exeros in 2009 also made a contribution to SDM, because
Exeros' data search technology enables the discovery of sensitive data that should be masked. IBM
markets its SDM product under the name of InfoSphere Optim Data Privacy. As part of the solution,
IBM offers discovery and subsetting. IBM technology is for enterprises with homogeneous or
heterogeneous environments, with many and various databases and files. These enterprises are
typically large ones that are pressed by security and compliance regulations.
Strengths
IBM has a strong SDM reputation and the largest installed client base. It is the most frequently
referenced SDM vendor by Gartner clients, especially large ones.
It has the availability of resources to operate globally.
IBM provides the technologies often requested by those shopping for SDM, including data security
technologies (such as data redaction and DAM/DAP), TDM, data archiving, application retirement,
e-discovery, data management, DBMS, and application development and testing technologies
within its Rational suite. IBM also provides the leading application security technologies — such as
static application security testing (SAST), dynamic application security testing (DAST) and
interactive application security testing (IAST) — that are used (same as SDM) at the development
and test phases of the software life cycle (SLC).
It has IBM mainframe and iSeries legacy expertise.
IBM has an evolving network of partners (including large consultancies) to propagate SDM.
Cautions
Gartner clients often complain about the high cost of IBM SDM, typically higher than the cost of
most of its competitors. Some clients that have chosen IBM's competitors stated that they did it,
not because of the insufficiency/weakness of IBM's technical features, but because of the high cost
of IBM technology.
Clients complain that IBM's pricing model, which is based on the power of CPUs, is difficult to
understand and assess by such users of data masking as developers and testers. IBM has recently
introduced a new pricing model, which is easier to understand, and we recommend that our clients
evaluate it.
Some clients also point to a complexity of learning IBM's SDM technology suite. IBM has recently
introduced a new version of its SDM tool with a simplified UI, and we recommend that our clients
evaluate it.
The quality of sales and technical support skills is inconsistent across IBM's enlarging prospect and
client base.
Return to Top
Informatica
Informatica has historically offered some data masking features within a broad portfolio of data
management tools composing its platform. Informatica has combined them with features of the SDM
tool from Applimation, the vendor it acquired in 2009. In 2011, it acquired DDM startup ActiveBase,
thus enlarging its data security offering. Informatica markets its SDM product as Informatica Persistent
Data Masking. Informatica's SDM appeals to enterprises with complex and heterogeneous database
environments and requirements to mask data frequently to meet developers' and testers' needs.
Current users of Informatica's PowerCenter are more likely to put Persistent Data Masking on their
shortlists when shopping for SDM, because it complements the portfolio of data management features
they already use.
Strengths
Informatica has a strong SDM reputation and one of the largest installed SDM customer bases.
4 de 11 06/02/2013 11:31 a.m.

Informatica is one of the top frequently referenced SDM vendors by Gartner clients.
It is a leader in data management — data integration, data quality and master data management.
Informatica exhibits innovation in the DDM space.
It is expanding its geographical reach. Informatica partners with global system integrators and
external service providers (ESPs) that use Informatica's SDM.
Its discovery process results in "impact analysis," reports on where sensitive data is used and
simulations of masking for assessing the masking's impact on the test use cases.
Cautions
Some clients, especially smaller ones, state the high cost of Informatica's SDM.
Its sales force has traditional experience in data management; however, it sometimes lacks the
expertise necessary for supporting data security.
Although Informatica's mainframe support is significant, its SDM for mainframes is less mature
than the one for distributed platforms.
Informatica lacks partnerships with testing automation vendors (for example, HP) to better
compete with IBM's Optim/Rational pairing (although, technologically, Informatica offers
integration with HP's testing suite, and has partnerships with global test service providers).
Informatica's lack of clarity in stating that data security is a strategic direction limits its
opportunities in the data security space.
Return to Top
Mentis
Mentis offers a portfolio of solutions for sensitive information management, including SDM (iScramble),
data discovery (part of the Mentis platform), data access monitoring (iMonitor), DDM and data
redaction (iMask), and database intrusion prevention (iProtect). Mentis' primary sales target is the
financial industry. Mentis will meet the needs of enterprises looking for strong discovery technology;
friendly support, mentoring, and willingness to understand and accommodate client requirements;
useful templates for packaged systems such as Oracle E-Business Suite and PeopleSoft; and
technologies beyond SDM aiming to protect production data in real time (DDM and DAM/DAP).
Strengths
In addition to SDM, Mentis offers DDM and DAM/DAP. Intelligence acquired by all its tools is
shared across the platform.
To increase the accuracy of discovery, it analyzes not only data, but also application codes that
access data, such as Java, C++, Oracle Forms, PL/SQL, TSQL, and COBOL.
For compliance, Mentis uses a classification engine instead of numerous regulation templates.
Masking suggestions can be validated before taking effect.
It offers strong support of ERP systems, such as Oracle E-Business Suite and PeopleSoft.
Mentis offers a pricing model that is understandable by developers and testers. It charges per
application or group of applications to be masked.
Cautions
Through 2013, customers and prospects should watch how Mentis solidifies its market presence
through the implementation of its plans for revenue and market share growth.
It masks a limited number of databases — Oracle, Microsoft SQL Server and, recently, DB2
(mainframe and distributed).
Mentis focuses on important — yet a limited number of — packaged applications, such as Oracle
E-Business Suite and PeopleSoft. A relatively small percentage of Mentis customers use its SDM
for non-ERP solutions.
It does not offer subsetting.
Prospects should request Mentis to expand its presence beyond North America.
Return to Top
Oracle
Oracle's SDM — Oracle Data Masking Pack — is an addition to its already large and strong data security
portfolio. Oracle Data Masking Pack mostly appeals to enterprise users of the Oracle technology stack —
database, middleware and packaged applications such as PeopleSoft and E-Business Suite.
Strengths
Oracle exhibits high performance in masking data in Oracle Database.
The broad adoption of Oracle Enterprise Manager (part of which is Data Masking Pack) promotes
adoption of Data Masking Pack to the users of Enterprise Manager.
Oracle has expertise in popular packaged systems PeopleSoft and Oracle E-Business Suite, which
results in the availability of prebuilt templates for these systems.
It has expertise in DBMS security, and other data security products are available.
Oracle has a global reach. There is an abundance of Oracle experts among IT professionals
worldwide.
Cautions
Oracle RDBMS and Oracle Database Gateways must be part of the masking solution for
non-Oracle databases.
Oracle's Data Masking Pack is used primarily in Oracle Database masking cases, because its
architecture is less optimized for addressing the heterogeneity of databases, files and platforms.
The SDM tool is not clearly visible in the variety of Oracle's data management and security
technologies.
5 de 11 06/02/2013 11:31 a.m.

Return to Top
Privacy Analytics
Privacy Analytics brings statistical science into SDM. Its tool Parat assesses, measures and manages the
risk of reidentification of masked data. Parat provides risk analysis functionality based on an
enterprise's security and privacy practices, the sensitivity of the dataset, and the possibility of
reidentification. It can also deidentify the data to meet risk thresholds. The company provides
consulting in assessing the risk of reidentification and help in Health Insurance Portability and
Accountability Act (HIPAA) certification. Privacy Analytics' technology and methods are aiming primarily
at healthcare organizations that are looking for quantifiable and defensible proofs that deidentified
sensitive data will withstand the scrutiny of external audits and even of legal contest.
Strengths
Risk assessment methods enable setting and measuring the appropriate level of masking. Parat
offers risk metrics to measure the risk of reidentification and privacy disclosure. Its metrics include
the probability of reidentification, where risk measurement is based on academic peer-reviewed
research.
Using analysis of the existing regulations and protection measures, Privacy Analytics defines the
threshold for deidentification breach. It helps to ensure that the risk of exposure is lower than a
user-specified threshold.
Privacy Analytics provides references to the precedents that could be used in audit or court
hearings of adherence to and violation of privacy.
It enables the analysis of different types of potential attacks with respective protection scenarios.
Its deidentification algorithm is adjustable to minimize distortion of the original data.
Cautions
Parat does not support deidentification across multiple databases. It works with multiple tables
within a single database.
Parat has discovery within datasets but not across databases. It does not have subsetting
technologies.
Parat covers a limited number of platforms (Windows only) and limited number of databases
(Oracle Database, Microsoft SQL Server and Microsoft Access only). It does not offer special
analysis and templates for packaged systems, such as SAP, PeopleSoft and Oracle E-Business
Suite.
SQL Server is a mandatory part of the tool. For small business cases, users can use free-of-charge
Microsoft SQL Express; however, for larger cases, users have to license Microsoft SQL Server.
Privacy Analytics does not offer "on the fly" masking.
Return to Top
Solix Technologies
Solix Technologies enters SDM from its main expertise's space — database archiving, management and
application retirement, which remains its primary focus. It requires stronger commitment to SDM and
needs to earn broader SDM name recognition and sales outside its traditional base, which buys its
platform primarily for data management, archiving and retirement. Solix SDM, called Solix EDMS Data
Masking, is a part of Solix Enterprise Data Management Suite (EDMS). Solix is well-suited for the needs
of the clients that already use it for other than SDM capabilities, and for users that need to easily and
inexpensively add SDM capabilities and start conducting SDM within an already familiar set of EDMS
data management functions.
Strengths
Solix exhibits expertise in data archiving and application retirement, which serve as opportunities
to sell data masking to the existing clientele.
Its suite of solutions covers archiving, test management, application retirement and data masking.
It offers managed data masking services.
Even being a smaller vendor, Solix has customers not only in North America, but also in Asia and
Europe, which come from manufacturing, banking, telecom and, more recently, healthcare.
Solix offers a free download for a limited version of its SDM software.
Cautions
Solix has not earned a strong SDM reputation. A substantial number of its clients are users of its
other technologies.
It does not offer a broad portfolio of data security tools, such as data redaction, DDM and
DAM/DAP.
Solix doesn't address testers' needs with test data design, sampling, synthetic data generation
and the accuracy of test data capabilities.
Its offering lacks integration with the popular development and testing platforms requested by
users, such as the ones from HP and IBM.
Its offering of prebuilt templates (for example, for non-U.S. personal data and postal addresses) is
narrower than clients often expect and request.
Return to Top
Voltage Security
Voltage Security focuses on data protection, which includes encryption and tokenization of data in
applications, databases, files, email and transactions. Voltage extends its encryption expertise to SDM.
Its Voltage SecureData Enterprise product uses Format-Preserving Encryption (FPE) to mask sensitive
data. Voltage is well-suited for users that need a tool that has a data masking technique based on FPE
as its main feature. Voltage is designed to enable enterprises to build data masking capability into
existing workflows and data management frameworks using a set of APIs and processing tools that are
compatible with extraction, transformation and loading (ETL) and data management solutions across
6 de 11 06/02/2013 11:31 a.m.

open systems, Hadoop, Amazon Web Services, mainframe, HP Nonstop, Stratus and Teradata. Strong
revenue growth from overall Voltage data protection technology has been demonstrated by Voltage
over the past 18 months in large use cases. Users should be prepared, however, to use other vendors'
tools for such SDM functions as sensitive data and relationship discovery, subsetting, masking
templates, flexibility, and a variety of masking rules.
Strengths
Voltage has expertise in data encryption. Voltage FPE is a patented, innovative method of
encryption that leverages the strength of existing encryption algorithms — specifically the
AES-FFX cipher mode (on track for standardization by the National Institute of Standards and
Technology). FPE can be used to protect production data for use in application operations, as well
as test data for use in application development/test, training and analytics.
It demonstrates the easy-to-implement enablement of database integrity across geographically
distributed and large data systems. Because FPE eliminates the need for mapping tables or
databases, it is well-suited for projects requiring high scalability.
Data that is masked with Voltage FPE can be easily reversed to its original state if required or be
made irreversible using one-time, 256-bit FPE keys.
FPE-based data masking is positioning Voltage toward growth in the emerging markets based on
such technological paradigms as cloud computing and big data.
For organizations with existing processes for migrating data from production to test/development
(for example, ETL tools), Voltage can integrate directly into the existing workflow, obviating the
need for new migration mechanisms.
Cautions
Voltage offers just one of several critical components of SDM technology — data masking via FPE.
Its data protection capability is part of a wider data protection solution that includes other
vendors' components. Those other critical components (such as discovery, subsetting and TDM
capabilities) are provided by Voltage's partners — mainly Informatica, and also Syspedia.
Voltage masking is easy for simpler, upfront and well-defined cases. For more complex cases with
complex data relationships that need data and relationship discovery and analysis, it requires the
use of tools from Voltage partners.
Voltage SecureData Enterprise is a platform for masking and data protection, and users need to
plug it into an existing application development workflow. It does not provide test data
management itself.
Voltage requires the installation of one or more virtual appliances to define data protection,
masking, authentication and authorization policies, stateless key management, and event
reporting. Data protection and masking APIs, libraries, mainframe tools, batch processing tools,
and services to mask data to and from databases have to run on the appliance.
Like any encryption using AES, the reversibility of FPE-based masking using AES-FFX poses a risk
that encrypted data will be disclosed if keys are compromised.
Return to Top
Vendors Added or Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change.
As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may
change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next
does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection
of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Return to Top
Added
This is a new Magic Quadrant.
Return to Top
Dropped
This is a new Magic Quadrant.
Return to Top
Inclusion and Exclusion Criteria
Inclusion criteria:
Vendors must provide SDM technology.
Aside from core SDM capabilities, eligible SDM technologies should include features to ensure
application and database integrity, discover sensitive data enterprisewide, provide rule-engine for
discovery and masking enterprisewide, provide templates and predefined rules, provide reporting
and management capabilities, provide integration with application development/testing and data
management processes and platforms, and enable SDM for heterogeneous platforms, applications
and systems. For technical capabilities' details, see "Toolkit: Checklist for Selecting a Static Data
Masking Vendor/Technology."
Vendors must be determined by Gartner to be significant players in the market because of market
presence or technology innovation.
Certain SDM solutions/capabilities are available in many IT organizations, consultancies and
vendor organizations. Thus, we are including only vendors that offer full-fledged SDM technology.
Vendors' SDM yearly revenue must exceed $1 million as of August 2012.
Exclusion criteria:
Open-source technologies are excluded because of the lack of enterprise-class capabilities,
7 de 11 06/02/2013 11:31 a.m.

services and support.
Low-cost, rudimentary solutions that focus on data masking techniques but lack other critical
capabilities of a full-fledged SDM technology (see "Toolkit: Checklist for Selecting a Static Data
Masking Vendor/Technology") aren't included.
ESPs are excluded if they offer SDM as one of the solutions in their portfolio of services (such as
application development or testing), but not as a full-fledged product.
Return to Top
Evaluation Criteria
Ability to Execute
Product/Service: This criterion evaluates the vendor's SDM product. It includes current
product/service capabilities, quality and feature sets. We give higher ratings for proven performance in
competitive assessments, appeal to a breadth of users (such as quality assurance and testing
specialists, as well as information security specialists), and appeal with security technologies other than
SDM (regardless of whether they are data-security-related). We also give higher ratings to the vendors
whose SDM technologies do not depend on other vendors' technologies. We give higher ratings to the
vendors whose SDM technologies do not depend on their own non-SDM-related components.
Overall Viability (Business Unit, Financial, Strategy and Organization): This is an assessment of
the organization's or business unit's overall financial health; the likelihood of the company's strategy to
continue investments in the SDM market and in a broader data/application security space; SDM
revenue amount; the sufficiency of funding sources and staffing; SDM expertise; the number of SDM
customers, and the number of installed and used SDM products; and the likelihood that the vendor will
be successful in its acquisition and/or partnership deals. We also evaluate a vendor's SDM market share
and overall mind share, including the number of times the vendor appears on Gartner clients' shortlists.
Sales Execution/Pricing: We account for the SDM growth rate, the company's global reach, its
pricing model and product/service/support/mentoring bundling. We account for the clarity and
transparency of the pricing model. We account for the reasons to expect that the vendor's strategy will
result in sales volume and revenue growth. We account for sales outside the vendor's home
country/region and sales to multiple verticals.
Market Responsiveness and Track Record: We look at the vendor's ability to respond, change
directions, be flexible and achieve competitive success as opportunities develop, competitors act,
customer needs evolve and market dynamics change. We evaluate the reputation of the product, the
match of the vendor's SDM (and broader data/application security, compliance and also
development/test and data management) offering to enterprises' functional requirements, and the
vendor's track record in delivering new, innovative features when the market demands them.
Marketing Execution: We evaluate market awareness, as well as the vendor's reputation and clout
among security and compliance specialists, and among application development and testing specialists.
We account for the vendor's ability to clearly state objectives in the SDM and data/application security
space that have given rise to the reputation and growth of its market share and mind share.
Customer Experience: This is an evaluation of the tool's functioning in production environments. The
evaluation includes ease of deployment, operation, administration, stability, scalability and vendor
support capabilities. It also includes relationships, products and services/programs that enable clients to
be successful with the products evaluated. Specifically, this includes the ways customers receive
technical support, as well as the vendor's willingness to work with its clients to customize the product or
service, to develop specific features requested by the client, and to offer personalized customer
support, mentoring, consulting. We evaluate whether clients find price of the technology and total cost
of deployment and operation reasonable. We also review the vendor's capabilities in all presales
activities and the structure that supports them.
Operations: This is the ability of the organization to meet its goals and commitments. Factors include
the quality of the organizational structure, skills, experiences, programs, systems and other vehicles
that enable the organization to operate effectively and efficiently on an ongoing basis. We also evaluate
the vendor's ability to provide methodology, best practices, mentoring and consulting to its clients, and
its ability to successfully run partnerships for sales and technology codevelopment.
Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria Weighting
Product/Service High
Overall Viability (Business Unit, Financial, Strategy, Organization) High
Sales Execution/Pricing Standard
Market Responsiveness and Track Record Standard
Marketing Execution Standard
Customer Experience Standard
Operations Standard
Completeness of Vision
Market Understanding: We evaluate the vendor's ability to understand buyers' needs and translate
them into products and services. SDM vendors that show the highest degree of market understanding
are offering enterprisewide sensitive data discovery and provide a rule engine for discovery and
masking enterprisewide. They offer templates and predefined discovery and masking rules, reporting
and management capabilities, integration with application development/testing, and data management
processes and platforms. They enable SDM for heterogeneous enterprises, and evolve the scalability
and productivity of SDM tools.
8 de 11 06/02/2013 11:31 a.m.

Marketing Strategy: This looks at whether the vendor has a clear, differentiated set of messages that
is consistently communicated throughout the organization and is externalized through the website,
advertising, customer programs and positioning statements. We give a higher score to vendors that
clearly state their dedication to SDM, security and compliance markets — specifically data and
application security; that clearly define their target audience; and that market appropriate packaging of
their products and/or services.
Offering (Product) Strategy: We assess the vendor's approach to product development and delivery.
This addresses the vendor's focus on security and compliance, its positioning SDM as an important
technology with full-fledged capabilities, its ability to create a network of partners, the optimal balance
between satisfying the needs of leading-edge (that is, Type A) enterprises and Type B (mainstream)
and Type C (risk-averse) enterprises, and its satisfying general/simpler requirements and
environments, as well as sophisticated/advanced ones.
Vertical/Industry Strategy: This looks at the vendor's strategy to direct resources, skills and
offerings to meet the specific needs of individual market segments and industries/verticals.
Innovation: We evaluate the vendor's development and delivery of a solution that is differentiated
from the competition in a way that uniquely addresses critical customer requirements. We give a higher
rating to vendors that develop methods that make SDM more accurate, scalable, and user- and
process-friendly. We give higher rating to vendors that offer solutions that reach out beyond SDM into
data redaction; the discovery, analysis and masking/protection of nonstructured, non-RDBMS data
sources; DDM; data security intelligence; and the ability to collect and analyze data-security-related
contextual information for security and compliance purposes.
Table 2. Completeness of Vision
Evaluation Criteria
Evaluation Criteria Weighting
Market Understanding High
Marketing Strategy High
Sales Strategy No Rating
Offering (Product) Strategy High
Business Model No Rating
Vertical/Industry Strategy Standard
Innovation High
Geographic Strategy No Rating
Quadrant Descriptions
Leaders
Leaders demonstrate balanced progress in execution and vision. Their actions raise the competitive bar
for all vendors and solutions in the market, and they tend to set the pace for the industry. A Leader's
strategy is focused on data security and compliance. Its offering addresses the needs of security
specialists within the SLC and data management. Leaders' brands are broadly recognized in the data
security space. Leaders reach beyond SDM capabilities and encompass the broader data security
discipline, including data redaction capabilities, DDM, DAM/DAP and security intelligence. At the same
time, Leaders are able to amass a relatively large clientele and revenue in this evolving market. A
leading vendor is not a default choice for every buyer, and clients are warned not to assume that they
should only buy from Leaders. Some clients may find that vendors in other quadrants better address
their specific needs.
Return to Top
Challengers
Challengers are able to sell SDM, yet they experience security and/or SDM brand recognition issues
when reaching beyond their installed base. Challengers have solid technologies that address the general
needs of users. They are good at competing on foundational SDM capabilities, rather than on advanced
features and/or broader ranges of data security products. Challengers are efficient and expedient
choices to address narrower defined problems.
Return to Top
Visionaries
Visionaries invest in the leading-edge features that will be significant in the next generation of data
security solutions, typically offer a broader range of data security solutions, and give buyers early
access to greater security assurance and advanced capabilities. Visionaries can affect the course of
technological developments in the market (for example, offering data redaction, DDM, synthetic data
generation, statistical assurance for data masking, security intelligence repositories for the analysis of
security and contextual information), but they lack the Ability to Execute against their visions compared
with the market leaders. Enterprises typically choose Visionaries for their best-of-breed, evolving
features. Other vendors watch Visionaries as indicators of innovation and thought leadership,
attempting to copy or acquire their technologies.
Return to Top
Niche Players
Niche Players offer viable, dependable solutions that meet the needs of specific buyers. Niche Players
are less likely to appear on shortlists, but they fare well when considered for business and technical
cases that match their focus. Niche Players may address subsets of the overall market, and often can
9 de 11 06/02/2013 11:31 a.m.

do it efficiently and effectively. Enterprises tend to choose Niche Players when the focus is on a few
important functions or on specific vendor expertise, or when they have an established relationship with
the vendor.
Return to Top
Context
The factors that affect the speed of SDM maturity and adoption are as follows:
SDM is a variation of a well- and long-known data transformation, when a dataset is transformed
into a set with a somewhat different content (that is, some fields are changed). Therefore, when
the need for data masking became acute, it didn't take vendors long to develop solutions that
were relatively mature. Not surprisingly, within the past few years, many vendors came to this
market to evolve their technologies and practices.
SDM is a reasonable security precaution that an enterprise may take on its own initiative. These
days, it's also recommended by rule bodies and regulators — for example, in the context of the
Payment Card Industry Data Security Standard (PCI DSS) and HIPAA — to protect clients of the
credit card and healthcare industries, respectively. Another adoption factor is application
development outsourcing, which raises concerns about the security of the data that becomes
accessible to ESPs' developers domestically or offshore.
For these reasons, we expect a relatively high speed of technology maturity for data masking. By 2016,
the SDM market will reach the Plateau of Productivity in Gartner's Hype Cycle, with approximately 50%
of the target audience adopting it.
Return to Top
Market Overview
The data masking market demonstrates a collection of vendors of different backgrounds and sizes —
from small startups founded with the sole purpose of creating and selling data masking tools, to large
megavendors adding data masking (often through acquisitions) to complement their broader
technology portfolios. Vendors with backgrounds in application development, application security, data
security, data management and data archiving, as well as IT service providers, came to this market
attracted by the potential profits driven by regulations and security concerns about sensitive data
exposure. Therefore, it is quite typical when vendors offer data masking that is complemented with
some other technologies. We estimated the overall SDM revenue of the vendors dedicated to SDM to be
approximately $100 million in 2011, and expect that it will rise to $130 million in 2012.
Currently, dedicated data masking vendors face competition on two fronts:
From enterprises' own homegrown data masking solutions
From homegrown data masking solutions offered by ESPs as part of their application development
and/or data management services
We expect that, through 2017, both types of homegrown solutions will be pushed into a niche market.
Neither group will be able to compete with dedicated data masking vendors in ever-changing
requirements, regulations and platforms. This process has already started, as we witness some ESPs —
which have their own homegrown solutions — arranging partnerships with dedicated data masking
vendors to use their tools in ESPs' service practices.
Data masking is an emerging market. We have been observing the following key market trends driving
market evolution:
The data masking market is splitting into three segments: SDM to protect data at rest (especially
test data for application development), DDM to protect production data used mainly for
operational purposes (see "Securing Production Data With Dynamic Data Masking"), and data
redaction, which masks unstructured content such as PDF, Word and Excel files. SDM technology
is in the middle of its maturity cycle, while DDM and data redaction are emerging technologies.
Enterprises' risk management, compliance and auditing departments — not their IT organizations
— are the main drivers of data masking adoption.
Data masking implementation decisions remain largely tactical and opportunistic, but enterprises
must be prepared to take a more strategic approach.
We recommend enterprises take the following actions:
Engage key enterprise stakeholders — especially in the risk management, privacy, compliance and
auditing roles — in the adoption and implementation of data masking processes. Data masking
technologies must, of course, be implemented by the IT organization, but their adoption is, and
will continue to be, driven by enterprises' risk management, compliance and auditing
organizations. The reason is that these are the organizations and functions that recognize (and are
responsible for) the consequences of sensitive data exposure. The adoption of data masking is
also being driven by regulatory requirements and mandates, such as PCI DSS and HIPAA.
Application development outsourcing is another main factor accelerating data masking adoption,
because this technology can ensure that enterprises' sensitive data will not be exposed to ESPs'
developers. Application development organizations often view data masking, or any other security
technology or process, as overhead that does not contribute to their primary objective of
delivering applications on time and within budget. The implementation of data masking — for
example, integrating data masking into application development processes — requires significant
extra time, effort and budget to acquire technology, train and pay internal data masking
specialists (or pay ESPs), and make changes to the process. For this reason, pressure from
enterprises' risk management, compliance and auditing will be necessary for widespread adoption
of these technologies.
Make data masking technologies and best practices an integral part of the enterprise's software
life cycle processes. The word "data" in the "data masking" term is somewhat misleading. It
suggests data manipulation, which, although true, remains secondary to data masking's main
purpose and place. Data masking is not just another sort of data manipulation. It is becoming an
essential part of the SLC testing phase. Application developers (an enterprise's own or external
10 de 11 06/02/2013 11:31 a.m.

consultants, domestic or offshore), early in the SLC need realistic data to test the applications
they have been developing. To satisfy such critical needs, IT organizations typically make a full or
subset copy of the production database and give it to developers for application testing. From that
moment on, real data (including sensitive data) becomes available to developers — often in
violation of security concerns and privacy regulations. Data masking aims to prevent that from
happening. A typical data masking process starts with the discovery of sensitive data, making a
full or subset copy of a production database, and then masking sensitive data. It ends with
offering the masked database to the programmers/testers who need the database to test the
application that accesses the database. Because data masking is part of the SLC, it requires not
just database specialists, but also business experts, application programmers and testers, as well
as security, auditing and compliance professionals. Masking should become an integral part of the
SLC process. It should start at the analysis and design phases, where sensitive data is defined and
business rules are set up, and continue into the programming and testing phases, where data gets
masked for unit and system testing. The data masking scope is broadening into production data
masking with DDM and with the redaction of unstructured content.
Additional research contribution and review were provided by Ramon Krikken.
Return to Top
© 2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced
or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sources believed to be
reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or
inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The
opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide
legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is
produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence
and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman
/omb_guide2.jsp.
About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner
11 de 11 06/02/2013 11:31 a.m.

G12.2012 magic quadrant for data masking technology

More Related Content

What's hot

Similar to G12.2012 magic quadrant for data masking technology

More from Satya Harish

Recently uploaded

G12.2012 magic quadrant for data masking technology