Mage Data
Last Updated:
Analyst Coverage: Philip Howard and Daniel Howard
Mage (formerly MENTIS) is a technology company specialising in data privacy and application security. The company was founded more than a decade ago and released its first product in 2004. Mage has its headquarters in New York and also has offices in India and the Dominican Republic. It has more than 50 employees, and is partnered with a variety of global systems integrators, regional resellers, and product and technology OEMs.
Prior to 2017 Mage had bootstrapped itself and relied entirely on generated revenues. However, in 2017 the company went through a pre-series A round of VC funding. In addition to this, the company started to expand outside of the United States and Canada, gaining some significant customer wins in Europe.
MENTIS
Last Updated: 4th May 2018
MENTIS offers a suite of solutions that protect and secure your data throughout its lifecycle. The platform it offers consists of data discovery, masking (both static and dynamic), monitoring, and finally retirement. Monitoring in this case refers to continuous monitoring, while data retirement is effectively a subset of data retention. Accordingly, MENTIS provides solutions for each stage of this cycle. iDiscover, iMonitor and iRetire handle, as their names imply, discovery, monitoring, and retirement, while iScramble and iMask jointly take care of data masking, providing static and dynamic data masking respectively. MENTIS also offers several ancillary products, including iSubset (data subsetting for test data management environments), iProtect (database firewalls) and iVerify (two factor authentication). Note that the MENTIS suite is entirely modular, and each product can be used by itself or in combination with any number of others. If multiple MENTIS products are deployed together, they can be integrated into a single platform that shares metadata across all of its component products. There are specific integrations provided to work in conjunction with Oracle eBusiness Suite and PeopleSoft, though the MENTIS software itself is application agnostic and works with all leading data sources typically found in an enterprise (IMS and DB2 on the Mainframe, Oracle, DB2, SQL Server, Sybase, MySQL, Big data (Hadoop, Teradata) and files.
As well as having a direct salesforce, Mentis views partnerships as a strategic priority and it has existing partnerships with leading global systems integrators, several regional resellers in EMEA and Latin America, and also product and technology OEMs.
MENTIS does not focus on any particular verticals since, especially under compliance regimes such as GDPR, the security and privacy of your data applies to all sorts of verticals. Historically, the company’s main customer base has been concentrated on leading institutions and Fortune 500 companies within the United States but, in 2017, it started to expand into Europe and gained some notable wins, including one of the leading Swiss banks and a leading credit scoring company headquartered the in UK.
iDiscover is the MENTIS suite’s solution for data discovery allowing you to discover data across a wide variety of data sources and formats, including big data. It also offers several distinct methods for classifying data. For example, matching known column and table names against a data dictionary, pattern matching, classification of discovered data by comparing it to known data, by validating it against rules particular to each data type, and even by examining underlying database and application code.
iScramble allows you to apply a variety of masking methods to your data while maintaining referential integrity. Data can be masked where it is stored and updated in place or you can mask data in-transit while files are being transferred between systems, and there is also an “as it happens” option based on triggering masking when new data is added. iScramble can also be combined with iMask for a combination of static and dynamic masking. Unlike static data masking, dynamic data masking applies masking rules to data as it is accessed, depending on the privileges of the user or program attempting to access it. A major feature is that you can apply conditional masking, the ability to mask – or mask in a certain way – depending on the context. This may be combined with location-aware masking, which is the ability to mask data (or not) depending on the physical location of the user or program attempting to access it. iMask also supports encryption and tokenisation as well as masking per se. It works by allowing you to create masking templates consisting of masking rules and associated data and metadata. Deployment can be via a proxy server, or file server, or embedded in a database or application.
MENTIS uses iMonitor to provide monitoring, complete with a decision and alerting engine. This leverages template schemas, generated by iDiscover (if you’re using it) during the discovery process, to monitor the different data types within your system. In particular, it provides user activity monitoring that tracks user logins and connections to your various data sources and statements: monitoring logs, programs, and data being accessed, in near real-time. Finally, iRetire is a data retention product within the MENTIS suite that specialises in retiring your data: archiving it (tokenised) or otherwise removing it from your system at the end of its lifecycle. It leverages the same template schemas – again generated by iDiscover – as iMonitor, allowing you to create data retention rules that act on pre-specified tables and columns within your database (potentially with added conditions, such as a user ID) to retire the data contained within them.
All the MENTIS products are implemented using an Oracle database (hosted on-premises) with a Tomcat application server and agents running on relevant databases and file servers (either on-premises or in the cloud). The engine doesn’t store any data (and, in particular, sensitive data) in and of itself, but it does hold metadata. Both structured and unstructured data are supported. In fact, one of the biggest advantages offered by MENTIS is the ability to handle a wide range of data – on-premises, in-cloud, structured, and unstructured – consistently and within the same platform.
MENTIS has a best practice based implementation methodology called MENTIS 3-D (define, design, and deliver). Service focus is on customer success and enablement in the form of flexible implementation models and training. These are provided both by the company and its partners.
MENTIS products are available via perpetual license, subscription, or as a service. In the latter case, pricing is determined strictly by the number of production instances you would like to deploy, the type of databases that are in scope for your solution, and, of course, the products that you would like to use. You can have as many non-production instances running as you like without extra charge. This pricing model is structured so that it is viable for any scale of deployment, whether it’s enterprise-wide, or isolated to a handful of critical applications.
MENTIS iDiscover
Last Updated: 21st May 2020
Mutable Award: Gold 2020
MENTIS is a data and application security platform that offers a range of modules that cover all necessary functions for discovering, protecting and monitoring sensitive data, regardless of the use case. For the purposes of this paper, we will be focusing on the sensitive data discovery capabilities MENTIS offers via its iDiscover module. Other modules include iSubset (data subsetting), iScramble (static data masking), iMask (dynamic data masking), iRetire (data retirement) and iMonitor (data monitoring). These modules are all delivered via the MENTIS engine. Each one (including iDiscover) can be used either by itself or with any number of others, and metadata can be freely shared between them.
We will also discuss the complementary discovery capabilities provided by MENTIS’ iSecure API. In contrast to the modules described above, it does not sit within the MENTIS engine; rather, it works in tandem with it to provide NLP (Natural Language Processing) driven data discovery and rules-based anonymisation.
Once MENTIS is deployed, users can interact with it via an application server. The MENTIS engine itself can be hosted on-premises or, if you are running an Oracle agent, in the cloud via Amazon EC2. Regardless, it can integrate with data sources located both on-premises and in the cloud. It includes support for the mainframe, big data, and unstructured data as well as relational data. MENTIS products are available via perpetual license, subscription, or as a service.
Customer Quotes
“We could never have found all the sensitive data locations that were identified by MENTIS discovery... even with 22 years of PeopleSoft application knowledge.”
Fortune 15 US head quartered conglomerate
“MENTIS Sensitive Data Discovery is an incredible solution. The number of false positives is around 10%.
The application it replaced has 85% false positives.”
Top Swiss Bank
iDiscover profiles and classifies your data. In doing so, it discovers the sensitive data within your system, as well as the users and programs that have access to that data. Notably, it offers several distinct methods for data discovery, including dictionary matching, pattern matching, data matching and even code matching. Although each of these methods can be used individually, in general you will want to (and, in MENTIS, are able to) combine many or all of them while looking for sensitive data. For each method used, MENTIS will estimate the likelihood that – according to the method in question – your piece of data is sensitive. If multiple methods are used, this will increase accuracy and reduce the number of false positives.
MENTIS also offers an additional discovery method, based on NLP, via the iSecure API. This capability leverages NLP and NER (Named Entity Recognition) based on the spaCy.io library as an additional method for discovering sensitive data. The actual process for this is not dissimilar to using iDiscover: iSecure discovers entities within your data and exports that information to the MENTIS engine, which in turn scores those entities using NLP, as well as other MENTIS methods, as above. iSecure can also be used for masking these entities, but that discussion extends beyond this paper’s remit.
In addition to multiple discovery methods, the product also offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of the discovery process are presented via a visual dashboard as seen in Figure 1. Notably, you can drill down into these results to see how and why your data was classified as it was. You can also
see a ‘snapshot’ of the state of your system (see Figure 2) as well as a history of the same.
iDiscover supports a wide variety of data sources and formats which now includes unstructured data, although at present this is limited to data located on file servers or accessed via REST APIs. In particular, it does not currently include NoSQL databases. Even so, this is a notable step forward given the inherent difficulty of classifying unstructured data (for which NLP based discovery is particularly useful). For file servers in particular, a file gateway is used to transfer metadata and file data from the server to the MENTIS engine, which converts them to Oracle tables before performing the discovery process as normal.
Whenever possible, MENTIS will discover your sensitive data using an agent. This classifies data where it sits, without needing to bring it inside the MENTIS engine (only metadata is moved). This method is favoured because it is highly performant (MENTIS estimates it as 3-4 times faster than the alternative), scalable and parallelisable, allowing you to scan any number of data sources concurrently and in a federated fashion, while also enabling compliance with corporate policies that restrict unnecessary data movement. Unfortunately, this feature is not universally available, although several data sources, including Oracle and SQL Server, are currently supported.
MENTIS is appealing in part because it is not just a point solution, but a complete data security platform: sensitive data discovery is simply one feature among many. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).
Beyond that, MENTIS’ faculties for discovery and classifying data is its standout feature, even as a platform. For example, the discovery options on offer, such as the ability to introspect code, or to classify data using NLP, are highly advanced and sophisticated. On top of that, MENTIS supports a wide variety of data sources and formats, including relational databases, documents, spreadsheets, flat files, CSV, XML and JSON.
The Bottom Line
MENTIS is a broadly capable data security platform with excellent data discovery capabilities that can now be brought to bear on both structured and unstructured data.
MENTIS Test Data Management
Last Updated: 12th July 2021
Mutable Award: Highly Commended 2021
MENTIS is a platform for governing and protecting your data and applications. It offers sophisticated sensitive data discovery alongside static and dynamic data masking, data subsetting, data monitoring, data retirement, and more, within a series of modules. The most relevant for the purposes of test data management are iDiscover, iSubset, iScramble, iSecure, and iMask.
MENTIS can be hosted on-premises or in the cloud, and regardless can work with both on-prem and in-cloud data sources. It supports a variety of data formats, including structured and unstructured data, and it integrates with an array of third-party products, primarily via APIs. Moreover, MENTIS has recently partnered with Windocks, an up-and-coming database virtualisation vendor, which fills in one the few holes in the company’s test data management line-up.
Customer Quotes
“We could never have found all the sensitive data locations that were identified by MENTIS discovery... even with 22 years of PeopleSoft application knowledge.”
Fortune 15 US head quartered conglomerate
“MENTIS Sensitive Data Discovery is an incredible solution. The number of false positives is around 10%. The application it replaced has 85% false positives.”
Top Swiss Bank
iDiscover profiles and classifies your data into data types, discovering sensitive data as it goes. Several methods are used for classification, including dictionary, pattern, data, and code matching. Any number of these can be applied at once to create an aggregate result and hence minimise false positives. Column sampling is used to minimise runtime, and samples are chosen to maximise coverage (for example, by only containing distinct values). Fuzzy logic is employed to make that sampling as representative of the underlying data as possible. Finally, NLP-based discovery on document data is available through iSecure.
Classification results are stored in a reusable template that is then leveraged throughout the platform. These results (or more accurately, recommendations) come with confidence levels as well as the reasoning that underpins them. If confidence is low, the process can be iterated. Approximately 70 classifications come preconfigured, including classifications compatible with recent legislation, such as GDPR.
iSubset allows you to create subsets across all applications within your database (a horizontal slice) or a single application (a vertical slice). They are taken from cloned copies of your production data, and can be generated based on a variety of parameters, including pattern matching or a user-specified condition, location, or date (including a time slice: for example, the last 100 days).
iScramble provides more than 70 static masking methods data, all of which maintain referential integrity. It can mask data at rest or in-transit, or automatically whenever it enters your system (“as it happens”), and each classification discussed above is equipped with a default masking method that can be applied with little or no manual intervention. Static masking can be employed within the data store itself, meaning you don’t need to move any underlying data in order to mask it, and when you action a masking job, any errors are reported when the job attempts to run but before it is actually executed. This enables you to fix those errors before committing to any part of the job.
iMask, on the other hand, provides dynamic data masking, format preserving encryption and tokenisation, based on user created templates that associate access rules and masking methods with sensitive data. Conditional masking – the ability to mask depending on the context – is also provided, including location-aware masking that uses the physical location of the user as the masking condition, and it can be deployed in different parts of your environment, and using subtly different methodologies, to suit a variety of use cases. iScramble and iMask can be combined to offer concurrent, “blended” static and dynamic masking, as well as “on demand” masking that extracts and stores statically masked data from a dynamically masked data source.
MENTIS also offers synthetic data generation by way of “identities”. Identities are alternate, fake data sets (“universes of data”) derived from your real data. They are created by analysing the distribution of your data and calculating its statistical properties, then generating a new data set out of whole cloth which preserves the properties that you care for. This generated data can then be used as a completely desensitised (but still representative) replacement for your real data, adding noise if appropriate, within your testing environment.
MENTIS’ greatest strength is its best-of-breed, market-leading data discovery. In fact, in our opinion, MENTIS goes further than any other supplier in its facilities for discovering sensitive data. Code introspection and fuzzy logic, for example, are relatively rare discovery features that MENTIS makes excellent use of.
MENTIS also provides a unified (but modular) location for actioning that discovery. These capabilities are less outstanding than discovery itself – it would be difficult for them not to be – but they are still substantial. Masking, in particular, is effectively automated via the masking methods attached to your classifications by default, although we would prefer if changing those methods was better supported. Identities should also be mentioned as a solution for synthetic data that puts particular (and very much warranted) emphasis on preserving the statistical integrity of your data.
The most recent versions of the MENTIS platform have also introduced significant performance improvements, as well as a new, much enhanced web UI that includes visualisations, wizards, dashboards (see Figure 1), and a particularly neat “masking method handbook” (Figure 2) that make the whole thing very easy to comprehend and work with.
The Bottom Line
MENTIS is a broadly capable data security platform (and consequently a formidable test data management solution) that offers notably excellent data discovery as well as highly capable static and dynamic data masking, subsetting, and synthetic data generation. If you’re struggling to find and protect your sensitive data – whether in a testing context or more generally – you should be looking at MENTIS.