Magic Quadrant for Data Masking Technology
Data masking should be mandatory for enterprises using copies of sensitive production data for application development, analytics or training. The market is expanding into production and unstructured data protection. It is populated with specialized and diversified vendors, and is in growing demand.
Sensitive data (such as credit card numbers), personally identifiable information (such as Social Security numbers), medical diagnoses and even nonpersonal sensitive data (such as corporate financial information and intellectual property) are exposed to abuse or negligence from enterprise employees and outsiders.
Data masking aims to prevent the abuse of sensitive data by hiding it from users. Technology vendors offer multiple data masking techniques, such as replacing some fields with similar-looking characters, replacing characters with masking characters (for example, "x"), replacing real last names with fictional last names and reshuffling data in the database columns. Data masking is also known as data obfuscation, data privacy, data sanitization, data scrambling, data deidentification, data anonymization and data deauthentication.
Adopting data masking helps enterprises raise the level of security and privacy assurance against abuses. At the same time, data masking helps enterprises meet compliance requirements with the security and privacy standards recommended by regulating/auditing authorities.
Potential abusers, whom data masking aims to deter, are often enterprise employees or employees of outsourcing firms, such as users of test databases (programmers, testers and database administrators) or users of analytical and training databases (analysts, researchers and trainees).
Data masking technologies should satisfy a simple, yet strict, rule: Masked data should be realistic and quasi-real — that is, it should satisfy the same business rules as real data. This is to ensure that the application running against masked data performs as if the masked data is real. Data masking must not limit a user's ability to adequately use applications. Static data masking (SDM) is a technology to deter the misuse of data by users of nonproduction (mostly test, but also training and analytics) databases (typically programmers and testers) by masking data in advance of using it.
The data masking portfolio has been broadening. In addition to SDM technology, which masks nonproduction databases not in real time, the market is beginning to offer dynamic data masking (DDM), which masks production data in real time; and data redaction, which masks unstructured content, such as PDF, Word, and Excel files. Although still evolving, SDM is the most mature of these technologies, while DDM and data redaction are in earlier phases of evolution.
Because SDM is more mature and more demanded by the clients, we are focusing our evaluations on SDM, rather than DDM or data redaction. However, because the market is heading toward a consolidation of the capabilities, we evaluate vendors' DDM and data redaction capabilities as well, but with a lower emphasis or priority.
Source: Gartner (December 2012)
Axis Technology was founded in 2000 as a consultancy. In 2006, it created a separate division to develop and market its SDM technology DMsuite.
Axis is for users that need to mask data on various platforms through user-friendly graphical user interfaces (GUIs). Axis offers its technology at a reasonable price, and provides strong technical support and professional services to meet clients' specific needs.
- DMsuite is a Web-based application, which enables multiple distributed user access to its features.
- Axis has recently started offering cloud-style SDM as a service.
- It offers a user-friendly visual interface, as well as easy-to-learn and easy-to-configure technology, at a reasonable price.
- Axis masks Hadoop data.
- Its consultants are available and willing to help implement and customize Axis' SDM to client needs.
- Axis lacks clout in the SDM space and in the data security space overall, resulting in small market and mind share penetration.
- Its sales are mostly limited to the U.S.
- Axis does not have the data management technologies that often accompany the SDM offerings of Leaders and some Challengers and Visionaries.
- Axis does not have the data security products, such as DDM, database activity monitoring (DAM), and database audit and protection (DAP), that often accompany SDM offerings by Leaders and some Challengers and Visionaries.
- It offers limited subsetting, limited assurances that the subset is representative and limited reporting capabilities. (A new release of DMsuite was made available in mid-October 2012, which aims to improve some of these features.) Axis lacks synthetic data generation and SAP templates.
Camouflage Software has demonstrated its vision and dedication to SDM by becoming one of the earlier SDM vendors (with its first product released in 2004), by marketing its SDM technology on the website www.datamasking.com, and by pioneering a number of features that have become "must have" for SDM. This all earned it mind share among clients of the emerging market, and gave it experience and market understanding. Camouflage markets its SDM technology under the name of Data Masking Lifecycle Management.
Camouflage attracts clients with mature (considering the still emerging market) technology and a quite complete set of components and features. It appeals to clients that are looking for a vendor's willingness to help with product customization and adjustment to enterprise's needs — those looking for reasonable pricing, affordable to big and smaller enterprises.
- Camouflage has strong name recognition, and it stands by what it advertises and promises.
- It has a strong product and support reputation.
- Camouflage offers reasonable pricing.
- Its tool is user-friendly and easy to learn, and it is flexible to install, configure and customize.
- Its DDM is a work in progress, and it is expanding data redaction beyond Excel files.
- Camouflage markets its technology mostly in North America.
- It has a small network of partners that offer its technology and respective services.
- Camouflage does not yet have a broader portfolio of data security products, such as DDM (although it is working on it) and DAM/DAP, which often accompany SDM offerings by some Leaders and Visionaries.
- Its current offering of prebuilt templates for PeopleSoft and SAP is narrower than clients often request.
- Camouflage does not have the data management technologies that often accompany Leaders' offerings.
Compuware offers a variety of technologies in areas such as application performance monitoring, horizontal portals, business portfolio management and mainframe solutions.
Compuware's SDM Test Data Privacy technology is positioned as part of Compuware's mainframe solution division, addressing distributed and mainframe platforms since its launch. Compuware's SDM product makes a strong case for its use in large, enterprisewide projects on a mainframe platform or in a mixed mainframe and distributed platform, with a focus on mainframe.
- Compuware exhibits expertise in SDM deployments in large-scale projects, especially with mainframe platforms.
- Compuware offers mainframe test data management (TDM) solutions and its line of File-AID file/data management products.
- It has a well-defined, extensive, best-practice-based methodology and maturity model for SDM implementations.
- Experts are available to assist clients in SDM implementations, including long-term engagements.
- Its geographical reach is beyond North America.
- It lacks a focus and reputation in the security space.
- Compared to Leaders, Compuware lacks data security technologies, such as DDM, DAM/DAP and more comprehensive data redaction.
- Its lack of clarity in positioning its SDM technology — its place within Compuware's organizational structure, partnerships and marketing — weakens its recognition and adoption.
- Compared to Leaders, its SDM reputation lacks balance between mainframe and distributed platforms. Typically, enterprises that prefer Compuware's SDM are heavy mainframe users, while users of mainly distributed platforms typically look at other SDM vendors.
- Discovery — technology that is critical to SDM — is augmented and extended by Compuware's partner Dataguise, which is an SDM vendor and has a nonexclusive partnership with Compuware.
Dataguise has been founded as an SDM vendor. Recently, it has developed data discovery and security alert capability for Hadoop, which has been certified by Hadoop distribution vendor Cloudera. Dataguise markets its SDM product under the name of DgSecure. Dataguise is suitable for organizations that are looking for an easy-to-learn, user-friendly product with a flexible masking rule engine, with good performance characteristics and at reasonable price.
- It has strong discovery technology, which Dataguise's partner, Compuware, uses in its own SDM offering.
- Dataguise's technology is easy to learn, and its Web-based architecture supports multiple user locations.
- It provides good customer service and mentoring.
- It offers good reporting, which uses security and some contextual information collected in the DgSecure repository.
- Dataguise explores using virtualization instead of subsetting.
- Through 2013, customers and prospects should watch how Dataguise solidifies its market presence through the implementation of its plans for revenue and market share growth.
- Dataguise's market is mostly limited to the U.S. It plans to launch its chain of international partners in 2013. Dataguise focuses on finance, government and healthcare verticals.
- It lacks TDM technologies and is missing SDM integration with data modeling tools.
- Dataguise lacks some of the data security technologies, such as DDM, DAP/DAP and data redaction, that often accompany SDM.
- It masks a limited number of databases: Oracle, Microsoft SQL Server, DB2 (distributed and mainframe) and Postgres.
Grid-Tools was founded in 2004 to deliver test data discovery, design, creation, refreshment, comparison, management and data masking, which it combines in its Datamaker suite. Datamaker is optimized for SDM use by application testers, and it fits well into an agile development paradigm. The company offers an advanced scalable technology aimed at complex and large environments — multiplicity of various interconnected databases on mainframe and distributed platforms.
- Grid-Tools demonstrates innovation in using synthetic data generation for masking purposes, which provides higher assurance that the data selected for masking is accurately representing source data.
- It offers advanced techniques for assuring application integrity and the quality of the test data (for example, dynamically building SDM templates while doing discovery for higher accuracy of representing the most current state of the data).
- It demonstrates higher performance in large and complex development/test environments.
- Grid-Tools' pricing model is clear and understandable by developers and testers.
- The U.K.-based company is working on creating a network of partners to reach into other geographies (particularly the U.S.).
- It lacks other data security technologies used for protection of production data (for example, DAM/DAP or DDM), compared to some Leaders and other Visionaries.
- It lacks prebuilt compliance reporting, so it requires customization from enterprises.
- Grid-Tools needs to enhance user friendliness for less sophisticated users. Its command-line interface is powerful, yet not as user-friendly as a GUI.
- Its current marketing messaging seeks mostly developers and testers, and misses security professionals.
IBM entered the SDM market in 2007 by acquiring Princeton Softech with its Optim data masking, archiving, subsetting and data management technologies. After IBM's 2009 acquisition of DAM/DAP vendor Guardium, development, marketing and sales resources of the two were combined, accelerating the development of DDM. IBM's acquisition of Exeros in 2009 also made a contribution to SDM, because Exeros' data search technology enables the discovery of sensitive data that should be masked. IBM markets its SDM product under the name of InfoSphere Optim Data Privacy. As part of the solution, IBM offers discovery and subsetting. IBM technology is for enterprises with homogeneous or heterogeneous environments, with many and various databases and files. These enterprises are typically large ones that are pressed by security and compliance regulations.
- IBM has a strong SDM reputation and the largest installed client base. It is the most frequently referenced SDM vendor by Gartner clients, especially large ones.
- It has the availability of resources to operate globally.
- IBM provides the technologies often requested by those shopping for SDM, including data security technologies (such as data redaction and DAM/DAP), TDM, data archiving, application retirement, e-discovery, data management, DBMS, and application development and testing technologies within its Rational suite. IBM also provides the leading application security technologies — such as static application security testing (SAST), dynamic application security testing (DAST) and interactive application security testing (IAST) — that are used (same as SDM) at the development and test phases of the software life cycle (SLC).
- It has IBM mainframe and iSeries legacy expertise.
- IBM has an evolving network of partners (including large consultancies) to propagate SDM.
- Gartner clients often complain about the high cost of IBM SDM, typically higher than the cost of most of its competitors. Some clients that have chosen IBM's competitors stated that they did it, not because of the insufficiency/weakness of IBM's technical features, but because of the high cost of IBM technology.
- Clients complain that IBM's pricing model, which is based on the power of CPUs, is difficult to understand and assess by such users of data masking as developers and testers. IBM has recently introduced a new pricing model, which is easier to understand, and we recommend that our clients evaluate it.
- Some clients also point to a complexity of learning IBM's SDM technology suite. IBM has recently introduced a new version of its SDM tool with a simplified UI, and we recommend that our clients evaluate it.
- The quality of sales and technical support skills is inconsistent across IBM's enlarging prospect and client base.
Informatica has historically offered some data masking features within a broad portfolio of data management tools composing its platform. Informatica has combined them with features of the SDM tool from Applimation, the vendor it acquired in 2009. In 2011, it acquired DDM startup ActiveBase, thus enlarging its data security offering. Informatica markets its SDM product as Informatica Persistent Data Masking. Informatica's SDM appeals to enterprises with complex and heterogeneous database environments and requirements to mask data frequently to meet developers' and testers' needs. Current users of Informatica's PowerCenter are more likely to put Persistent Data Masking on their shortlists when shopping for SDM, because it complements the portfolio of data management features they already use.
- Informatica has a strong SDM reputation and one of the largest installed SDM customer bases.
- Informatica is one of the top frequently referenced SDM vendors by Gartner clients.
- It is a leader in data management — data integration, data quality and master data management.
- Informatica exhibits innovation in the DDM space.
- It is expanding its geographical reach. Informatica partners with global system integrators and external service providers (ESPs) that use Informatica's SDM.
- Its discovery process results in "impact analysis," reports on where sensitive data is used and simulations of masking for assessing the masking's impact on the test use cases.
- Some clients, especially smaller ones, state the high cost of Informatica's SDM.
- Its sales force has traditional experience in data management; however, it sometimes lacks the expertise necessary for supporting data security.
- Although Informatica's mainframe support is significant, its SDM for mainframes is less mature than the one for distributed platforms.
- Informatica lacks partnerships with testing automation vendors (for example, HP) to better compete with IBM's Optim/Rational pairing (although, technologically, Informatica offers integration with HP's testing suite, and has partnerships with global test service providers).
- Informatica's lack of clarity in stating that data security is a strategic direction limits its opportunities in the data security space.
Mentis offers a portfolio of solutions for sensitive information management, including SDM (iScramble), data discovery (part of the Mentis platform), data access monitoring (iMonitor), DDM and data redaction (iMask), and database intrusion prevention (iProtect). Mentis' primary sales target is the financial industry. Mentis will meet the needs of enterprises looking for strong discovery technology; friendly support, mentoring, and willingness to understand and accommodate client requirements; useful templates for packaged systems such as Oracle E-Business Suite and PeopleSoft; and technologies beyond SDM aiming to protect production data in real time (DDM and DAM/DAP).
- In addition to SDM, Mentis offers DDM and DAM/DAP. Intelligence acquired by all its tools is shared across the platform.
- To increase the accuracy of discovery, it analyzes not only data, but also application codes that access data, such as Java, C++, Oracle Forms, PL/SQL, TSQL, and COBOL.
- For compliance, Mentis uses a classification engine instead of numerous regulation templates. Masking suggestions can be validated before taking effect.
- It offers strong support of ERP systems, such as Oracle E-Business Suite and PeopleSoft.
- Mentis offers a pricing model that is understandable by developers and testers. It charges per application or group of applications to be masked.
- Through 2013, customers and prospects should watch how Mentis solidifies its market presence through the implementation of its plans for revenue and market share growth.
- It masks a limited number of databases — Oracle, Microsoft SQL Server and, recently, DB2 (mainframe and distributed).
- Mentis focuses on important — yet a limited number of — packaged applications, such as Oracle E-Business Suite and PeopleSoft. A relatively small percentage of Mentis customers use its SDM for non-ERP solutions.
- It does not offer subsetting.
- Prospects should request Mentis to expand its presence beyond North America.
Oracle's SDM — Oracle Data Masking Pack — is an addition to its already large and strong data security portfolio. Oracle Data Masking Pack mostly appeals to enterprise users of the Oracle technology stack — database, middleware and packaged applications such as PeopleSoft and E-Business Suite.
- Oracle exhibits high performance in masking data in Oracle Database.
- The broad adoption of Oracle Enterprise Manager (part of which is Data Masking Pack) promotes adoption of Data Masking Pack to the users of Enterprise Manager.
- Oracle has expertise in popular packaged systems PeopleSoft and Oracle E-Business Suite, which results in the availability of prebuilt templates for these systems.
- It has expertise in DBMS security, and other data security products are available.
- Oracle has a global reach. There is an abundance of Oracle experts among IT professionals worldwide.
- Oracle RDBMS and Oracle Database Gateways must be part of the masking solution for non-Oracle databases.
- Oracle's Data Masking Pack is used primarily in Oracle Database masking cases, because its architecture is less optimized for addressing the heterogeneity of databases, files and platforms.
- The SDM tool is not clearly visible in the variety of Oracle's data management and security technologies.
Privacy Analytics brings statistical science into SDM. Its tool Parat assesses, measures and manages the risk of reidentification of masked data. Parat provides risk analysis functionality based on an enterprise's security and privacy practices, the sensitivity of the dataset, and the possibility of reidentification. It can also deidentify the data to meet risk thresholds. The company provides consulting in assessing the risk of reidentification and help in Health Insurance Portability and Accountability Act (HIPAA) certification. Privacy Analytics' technology and methods are aiming primarily at healthcare organizations that are looking for quantifiable and defensible proofs that deidentified sensitive data will withstand the scrutiny of external audits and even of legal contest.
- Risk assessment methods enable setting and measuring the appropriate level of masking. Parat offers risk metrics to measure the risk of reidentification and privacy disclosure. Its metrics include the probability of reidentification, where risk measurement is based on academic peer-reviewed research.
- Using analysis of the existing regulations and protection measures, Privacy Analytics defines the threshold for deidentification breach. It helps to ensure that the risk of exposure is lower than a user-specified threshold.
- Privacy Analytics provides references to the precedents that could be used in audit or court hearings of adherence to and violation of privacy.
- It enables the analysis of different types of potential attacks with respective protection scenarios.
- Its deidentification algorithm is adjustable to minimize distortion of the original data.
- Parat does not support deidentification across multiple databases. It works with multiple tables within a single database.
- Parat has discovery within datasets but not across databases. It does not have subsetting technologies.
- Parat covers a limited number of platforms (Windows only) and limited number of databases (Oracle Database, Microsoft SQL Server and Microsoft Access only). It does not offer special analysis and templates for packaged systems, such as SAP, PeopleSoft and Oracle E-Business Suite.
- SQL Server is a mandatory part of the tool. For small business cases, users can use free-of-charge Microsoft SQL Express; however, for larger cases, users have to license Microsoft SQL Server.
- Privacy Analytics does not offer "on the fly" masking.
Solix Technologies enters SDM from its main expertise's space — database archiving, management and application retirement, which remains its primary focus. It requires stronger commitment to SDM and needs to earn broader SDM name recognition and sales outside its traditional base, which buys its platform primarily for data management, archiving and retirement. Solix SDM, called Solix EDMS Data Masking, is a part of Solix Enterprise Data Management Suite (EDMS). Solix is well-suited for the needs of the clients that already use it for other than SDM capabilities, and for users that need to easily and inexpensively add SDM capabilities and start conducting SDM within an already familiar set of EDMS data management functions.
- Solix exhibits expertise in data archiving and application retirement, which serve as opportunities to sell data masking to the existing clientele.
- Its suite of solutions covers archiving, test management, application retirement and data masking.
- It offers managed data masking services.
- Even being a smaller vendor, Solix has customers not only in North America, but also in Asia and Europe, which come from manufacturing, banking, telecom and, more recently, healthcare.
- Solix offers a free download for a limited version of its SDM software.
- Solix has not earned a strong SDM reputation. A substantial number of its clients are users of its other technologies.
- It does not offer a broad portfolio of data security tools, such as data redaction, DDM and DAM/DAP.
- Solix doesn't address testers' needs with test data design, sampling, synthetic data generation and the accuracy of test data capabilities.
- Its offering lacks integration with the popular development and testing platforms requested by users, such as the ones from HP and IBM.
- Its offering of prebuilt templates (for example, for non-U.S. personal data and postal addresses) is narrower than clients often expect and request.
Voltage Security focuses on data protection, which includes encryption and tokenization of data in applications, databases, files, email and transactions. Voltage extends its encryption expertise to SDM. Its Voltage SecureData Enterprise product uses Format-Preserving Encryption (FPE) to mask sensitive data. Voltage is well-suited for users that need a tool that has a data masking technique based on FPE as its main feature. Voltage is designed to enable enterprises to build data masking capability into existing workflows and data management frameworks using a set of APIs and processing tools that are compatible with extraction, transformation and loading (ETL) and data management solutions across open systems, Hadoop, Amazon Web Services, mainframe, HP Nonstop, Stratus and Teradata. Strong revenue growth from overall Voltage data protection technology has been demonstrated by Voltage over the past 18 months in large use cases. Users should be prepared, however, to use other vendors' tools for such SDM functions as sensitive data and relationship discovery, subsetting, masking templates, flexibility, and a variety of masking rules.
- Voltage has expertise in data encryption. Voltage FPE is a patented, innovative method of encryption that leverages the strength of existing encryption algorithms — specifically the AES-FFX cipher mode (on track for standardization by the National Institute of Standards and Technology). FPE can be used to protect production data for use in application operations, as well as test data for use in application development/test, training and analytics.
- It demonstrates the easy-to-implement enablement of database integrity across geographically distributed and large data systems. Because FPE eliminates the need for mapping tables or databases, it is well-suited for projects requiring high scalability.
- Data that is masked with Voltage FPE can be easily reversed to its original state if required or be made irreversible using one-time, 256-bit FPE keys.
- FPE-based data masking is positioning Voltage toward growth in the emerging markets based on such technological paradigms as cloud computing and big data.
- For organizations with existing processes for migrating data from production to test/development (for example, ETL tools), Voltage can integrate directly into the existing workflow, obviating the need for new migration mechanisms.
- Voltage offers just one of several critical components of SDM technology — data masking via FPE. Its data protection capability is part of a wider data protection solution that includes other vendors' components. Those other critical components (such as discovery, subsetting and TDM capabilities) are provided by Voltage's partners — mainly Informatica, and also Syspedia.
- Voltage masking is easy for simpler, upfront and well-defined cases. For more complex cases with complex data relationships that need data and relationship discovery and analysis, it requires the use of tools from Voltage partners.
- Voltage SecureData Enterprise is a platform for masking and data protection, and users need to plug it into an existing application development workflow. It does not provide test data management itself.
- Voltage requires the installation of one or more virtual appliances to define data protection, masking, authentication and authorization policies, stateless key management, and event reporting. Data protection and masking APIs, libraries, mainframe tools, batch processing tools, and services to mask data to and from databases have to run on the appliance.
- Like any encryption using AES, the reversibility of FPE-based masking using AES-FFX poses a risk that encrypted data will be disclosed if keys are compromised.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
This is a new Magic Quadrant.
This is a new Magic Quadrant.
- Vendors must provide SDM technology.
- Aside from core SDM capabilities, eligible SDM technologies should include features to ensure application and database integrity, discover sensitive data enterprisewide, provide rule-engine for discovery and masking enterprisewide, provide templates and predefined rules, provide reporting and management capabilities, provide integration with application development/testing and data management processes and platforms, and enable SDM for heterogeneous platforms, applications and systems. For technical capabilities' details, see "Toolkit: Checklist for Selecting a Static Data Masking Vendor/Technology."
- Vendors must be determined by Gartner to be significant players in the market because of market presence or technology innovation.
- Certain SDM solutions/capabilities are available in many IT organizations, consultancies and vendor organizations. Thus, we are including only vendors that offer full-fledged SDM technology.
- Vendors' SDM yearly revenue must exceed $1 million as of August 2012.
- Open-source technologies are excluded because of the lack of enterprise-class capabilities, services and support.
- Low-cost, rudimentary solutions that focus on data masking techniques but lack other critical capabilities of a full-fledged SDM technology (see "Toolkit: Checklist for Selecting a Static Data Masking Vendor/Technology") aren't included.
- ESPs are excluded if they offer SDM as one of the solutions in their portfolio of services (such as application development or testing), but not as a full-fledged product.
Product/Service: This criterion evaluates the vendor's SDM product. It includes current product/service capabilities, quality and feature sets. We give higher ratings for proven performance in competitive assessments, appeal to a breadth of users (such as quality assurance and testing specialists, as well as information security specialists), and appeal with security technologies other than SDM (regardless of whether they are data-security-related). We also give higher ratings to the vendors whose SDM technologies do not depend on other vendors' technologies. We give higher ratings to the vendors whose SDM technologies do not depend on their own non-SDM-related components.
Overall Viability (Business Unit, Financial, Strategy and Organization): This is an assessment of the organization's or business unit's overall financial health; the likelihood of the company's strategy to continue investments in the SDM market and in a broader data/application security space; SDM revenue amount; the sufficiency of funding sources and staffing; SDM expertise; the number of SDM customers, and the number of installed and used SDM products; and the likelihood that the vendor will be successful in its acquisition and/or partnership deals. We also evaluate a vendor's SDM market share and overall mind share, including the number of times the vendor appears on Gartner clients' shortlists.
Sales Execution/Pricing: We account for the SDM growth rate, the company's global reach, its pricing model and product/service/support/mentoring bundling. We account for the clarity and transparency of the pricing model. We account for the reasons to expect that the vendor's strategy will result in sales volume and revenue growth. We account for sales outside the vendor's home country/region and sales to multiple verticals.
Market Responsiveness and Track Record: We look at the vendor's ability to respond, change directions, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. We evaluate the reputation of the product, the match of the vendor's SDM (and broader data/application security, compliance and also development/test and data management) offering to enterprises' functional requirements, and the vendor's track record in delivering new, innovative features when the market demands them.
Marketing Execution: We evaluate market awareness, as well as the vendor's reputation and clout among security and compliance specialists, and among application development and testing specialists. We account for the vendor's ability to clearly state objectives in the SDM and data/application security space that have given rise to the reputation and growth of its market share and mind share.
Customer Experience: This is an evaluation of the tool's functioning in production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. It also includes relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support, as well as the vendor's willingness to work with its clients to customize the product or service, to develop specific features requested by the client, and to offer personalized customer support, mentoring, consulting. We evaluate whether clients find price of the technology and total cost of deployment and operation reasonable. We also review the vendor's capabilities in all presales activities and the structure that supports them.
Operations: This is the ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. We also evaluate the vendor's ability to provide methodology, best practices, mentoring and consulting to its clients, and its ability to successfully run partnerships for sales and technology codevelopment.
Source: Gartner (December 2012)
Market Understanding: We evaluate the vendor's ability to understand buyers' needs and translate them into products and services. SDM vendors that show the highest degree of market understanding are offering enterprisewide sensitive data discovery and provide a rule engine for discovery and masking enterprisewide. They offer templates and predefined discovery and masking rules, reporting and management capabilities, integration with application development/testing, and data management processes and platforms. They enable SDM for heterogeneous enterprises, and evolve the scalability and productivity of SDM tools.
Marketing Strategy: This looks at whether the vendor has a clear, differentiated set of messages that is consistently communicated throughout the organization and is externalized through the website, advertising, customer programs and positioning statements. We give a higher score to vendors that clearly state their dedication to SDM, security and compliance markets — specifically data and application security; that clearly define their target audience; and that market appropriate packaging of their products and/or services.
Offering (Product) Strategy: We assess the vendor's approach to product development and delivery. This addresses the vendor's focus on security and compliance, its positioning SDM as an important technology with full-fledged capabilities, its ability to create a network of partners, the optimal balance between satisfying the needs of leading-edge (that is, Type A) enterprises and Type B (mainstream) and Type C (risk-averse) enterprises, and its satisfying general/simpler requirements and environments, as well as sophisticated/advanced ones.
Vertical/Industry Strategy: This looks at the vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments and industries/verticals.
Innovation: We evaluate the vendor's development and delivery of a solution that is differentiated from the competition in a way that uniquely addresses critical customer requirements. We give a higher rating to vendors that develop methods that make SDM more accurate, scalable, and user- and process-friendly. We give higher rating to vendors that offer solutions that reach out beyond SDM into data redaction; the discovery, analysis and masking/protection of nonstructured, non-RDBMS data sources; DDM; data security intelligence; and the ability to collect and analyze data-security-related contextual information for security and compliance purposes.
Source: Gartner (December 2012)
Leaders demonstrate balanced progress in execution and vision. Their actions raise the competitive bar for all vendors and solutions in the market, and they tend to set the pace for the industry. A Leader's strategy is focused on data security and compliance. Its offering addresses the needs of security specialists within the SLC and data management. Leaders' brands are broadly recognized in the data security space. Leaders reach beyond SDM capabilities and encompass the broader data security discipline, including data redaction capabilities, DDM, DAM/DAP and security intelligence. At the same time, Leaders are able to amass a relatively large clientele and revenue in this evolving market. A leading vendor is not a default choice for every buyer, and clients are warned not to assume that they should only buy from Leaders. Some clients may find that vendors in other quadrants better address their specific needs.
Challengers are able to sell SDM, yet they experience security and/or SDM brand recognition issues when reaching beyond their installed base. Challengers have solid technologies that address the general needs of users. They are good at competing on foundational SDM capabilities, rather than on advanced features and/or broader ranges of data security products. Challengers are efficient and expedient choices to address narrower defined problems.
Visionaries invest in the leading-edge features that will be significant in the next generation of data security solutions, typically offer a broader range of data security solutions, and give buyers early access to greater security assurance and advanced capabilities. Visionaries can affect the course of technological developments in the market (for example, offering data redaction, DDM, synthetic data generation, statistical assurance for data masking, security intelligence repositories for the analysis of security and contextual information), but they lack the Ability to Execute against their visions compared with the market leaders. Enterprises typically choose Visionaries for their best-of-breed, evolving features. Other vendors watch Visionaries as indicators of innovation and thought leadership, attempting to copy or acquire their technologies.
Niche Players offer viable, dependable solutions that meet the needs of specific buyers. Niche Players are less likely to appear on shortlists, but they fare well when considered for business and technical cases that match their focus. Niche Players may address subsets of the overall market, and often can do it efficiently and effectively. Enterprises tend to choose Niche Players when the focus is on a few important functions or on specific vendor expertise, or when they have an established relationship with the vendor.
The factors that affect the speed of SDM maturity and adoption are as follows:
- SDM is a variation of a well- and long-known data transformation, when a dataset is transformed into a set with a somewhat different content (that is, some fields are changed). Therefore, when the need for data masking became acute, it didn't take vendors long to develop solutions that were relatively mature. Not surprisingly, within the past few years, many vendors came to this market to evolve their technologies and practices.
- SDM is a reasonable security precaution that an enterprise may take on its own initiative. These days, it's also recommended by rule bodies and regulators — for example, in the context of the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA — to protect clients of the credit card and healthcare industries, respectively. Another adoption factor is application development outsourcing, which raises concerns about the security of the data that becomes accessible to ESPs' developers domestically or offshore.
For these reasons, we expect a relatively high speed of technology maturity for data masking. By 2016, the SDM market will reach the Plateau of Productivity in Gartner's Hype Cycle, with approximately 50% of the target audience adopting it.
The data masking market demonstrates a collection of vendors of different backgrounds and sizes — from small startups founded with the sole purpose of creating and selling data masking tools, to large megavendors adding data masking (often through acquisitions) to complement their broader technology portfolios. Vendors with backgrounds in application development, application security, data security, data management and data archiving, as well as IT service providers, came to this market attracted by the potential profits driven by regulations and security concerns about sensitive data exposure. Therefore, it is quite typical when vendors offer data masking that is complemented with some other technologies. We estimated the overall SDM revenue of the vendors dedicated to SDM to be approximately $100 million in 2011, and expect that it will rise to $130 million in 2012.
Currently, dedicated data masking vendors face competition on two fronts:
- From enterprises' own homegrown data masking solutions
- From homegrown data masking solutions offered by ESPs as part of their application development and/or data management services
We expect that, through 2017, both types of homegrown solutions will be pushed into a niche market. Neither group will be able to compete with dedicated data masking vendors in ever-changing requirements, regulations and platforms. This process has already started, as we witness some ESPs — which have their own homegrown solutions — arranging partnerships with dedicated data masking vendors to use their tools in ESPs' service practices.
Data masking is an emerging market. We have been observing the following key market trends driving market evolution:
- The data masking market is splitting into three segments: SDM to protect data at rest (especially test data for application development), DDM to protect production data used mainly for operational purposes (see "Securing Production Data With Dynamic Data Masking"), and data redaction, which masks unstructured content such as PDF, Word and Excel files. SDM technology is in the middle of its maturity cycle, while DDM and data redaction are emerging technologies.
- Enterprises' risk management, compliance and auditing departments — not their IT organizations — are the main drivers of data masking adoption.
- Data masking implementation decisions remain largely tactical and opportunistic, but enterprises must be prepared to take a more strategic approach.
We recommend enterprises take the following actions:
- Engage key enterprise stakeholders — especially in the risk management, privacy, compliance and auditing roles — in the adoption and implementation of data masking processes. Data masking technologies must, of course, be implemented by the IT organization, but their adoption is, and will continue to be, driven by enterprises' risk management, compliance and auditing organizations. The reason is that these are the organizations and functions that recognize (and are responsible for) the consequences of sensitive data exposure. The adoption of data masking is also being driven by regulatory requirements and mandates, such as PCI DSS and HIPAA. Application development outsourcing is another main factor accelerating data masking adoption, because this technology can ensure that enterprises' sensitive data will not be exposed to ESPs' developers. Application development organizations often view data masking, or any other security technology or process, as overhead that does not contribute to their primary objective of delivering applications on time and within budget. The implementation of data masking — for example, integrating data masking into application development processes — requires significant extra time, effort and budget to acquire technology, train and pay internal data masking specialists (or pay ESPs), and make changes to the process. For this reason, pressure from enterprises' risk management, compliance and auditing will be necessary for widespread adoption of these technologies.
- Make data masking technologies and best practices an integral part of the enterprise's software life cycle processes. The word "data" in the "data masking" term is somewhat misleading. It suggests data manipulation, which, although true, remains secondary to data masking's main purpose and place. Data masking is not just another sort of data manipulation. It is becoming an essential part of the SLC testing phase. Application developers (an enterprise's own or external consultants, domestic or offshore), early in the SLC need realistic data to test the applications they have been developing. To satisfy such critical needs, IT organizations typically make a full or subset copy of the production database and give it to developers for application testing. From that moment on, real data (including sensitive data) becomes available to developers — often in violation of security concerns and privacy regulations. Data masking aims to prevent that from happening. A typical data masking process starts with the discovery of sensitive data, making a full or subset copy of a production database, and then masking sensitive data. It ends with offering the masked database to the programmers/testers who need the database to test the application that accesses the database. Because data masking is part of the SLC, it requires not just database specialists, but also business experts, application programmers and testers, as well as security, auditing and compliance professionals. Masking should become an integral part of the SLC process. It should start at the analysis and design phases, where sensitive data is defined and business rules are set up, and continue into the programming and testing phases, where data gets masked for unit and system testing. The data masking scope is broadening into production data masking with DDM and with the redaction of unstructured content.
Additional research contribution and review were provided by Ramon Krikken.
- Analysis of approximately 450 inquiries that Gartner received during the past three years
- Vendors' responses to Gartner's detailed Magic Quadrant survey
- Interviews with clients that each vendor introduced as typical or best adopters of their SDM technologies
- Product demonstrations
- Product briefings
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships, as defined in the market definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): An assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This mind share can be driven by a combination of publicity, promotional initiatives, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, SLAs and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs, and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for that geography and market.