Mage Data

As well as having a direct salesforce, Mentis views partnerships as a strategic priority and it has existing partnerships with leading global systems integrators, several regional resellers in EMEA and Latin America, and also product and technology OEMs.

MENTIS does not focus on any particular verticals since, especially under compliance regimes such as GDPR, the security and privacy of your data applies to all sorts of verticals. Historically, the company’s main customer base has been concentrated on leading institutions and Fortune 500 companies within the United States but, in 2017, it started to expand into Europe and gained some notable wins, including one of the leading Swiss banks and a leading credit scoring company headquartered the in UK.

iDiscover is the MENTIS suite’s solution for data discovery allowing you to discover data across a wide variety of data sources and formats, including big data. It also offers several distinct methods for classifying data. For example, matching known column and table names against a data dictionary, pattern matching, classification of discovered data by comparing it to known data, by validating it against rules particular to each data type, and even by examining underlying database and application code.

iScramble allows you to apply a variety of masking methods to your data while maintaining referential integrity. Data can be masked where it is stored and updated in place or you can mask data in-transit while files are being transferred between systems, and there is also an “as it happens” option based on triggering masking when new data is added. iScramble can also be combined with iMask for a combination of static and dynamic masking. Unlike static data masking, dynamic data masking applies masking rules to data as it is accessed, depending on the privileges of the user or program attempting to access it. A major feature is that you can apply conditional masking, the ability to mask – or mask in a certain way – depending on the context. This may be combined with location-aware masking, which is the ability to mask data (or not) depending on the physical location of the user or program attempting to access it. iMask also supports encryption and tokenisation as well as masking per se. It works by allowing you to create masking templates consisting of masking rules and associated data and metadata. Deployment can be via a proxy server, or file server, or embedded in a database or application.

MENTIS uses iMonitor to provide monitoring, complete with a decision and alerting engine. This leverages template schemas, generated by iDiscover (if you’re using it) during the discovery process, to monitor the different data types within your system. In particular, it provides user activity monitoring that tracks user logins and connections to your various data sources and statements: monitoring logs, programs, and data being accessed, in near real-time. Finally, iRetire is a data retention product within the MENTIS suite that specialises in retiring your data: archiving it (tokenised) or otherwise removing it from your system at the end of its lifecycle. It leverages the same template schemas – again generated by iDiscover – as iMonitor, allowing you to create data retention rules that act on pre-specified tables and columns within your database (potentially with added conditions, such as a user ID) to retire the data contained within them.

All the MENTIS products are implemented using an Oracle database (hosted on-premises) with a Tomcat application server and agents running on relevant databases and file servers (either on-premises or in the cloud). The engine doesn’t store any data (and, in particular, sensitive data) in and of itself, but it does hold metadata. Both structured and unstructured data are supported. In fact, one of the biggest advantages offered by MENTIS is the ability to handle a wide range of data – on-premises, in-cloud, structured, and unstructured – consistently and within the same platform.

MENTIS has a best practice based implementation methodology called MENTIS 3-D (define, design, and deliver). Service focus is on customer success and enablement in the form of flexible implementation models and training. These are provided both by the company and its partners.

MENTIS products are available via perpetual license, subscription, or as a service. In the latter case, pricing is determined strictly by the number of production instances you would like to deploy, the type of databases that are in scope for your solution, and, of course, the products that you would like to use. You can have as many non-production instances running as you like without extra charge. This pricing model is structured so that it is viable for any scale of deployment, whether it’s enterprise-wide, or isolated to a handful of critical applications.

iDiscover profiles and classifies your data. In doing so, it discovers the sensitive data within your system, as well as the users and programs that have access to that data. Notably, it offers several distinct methods for data discovery, including dictionary matching, pattern matching, data matching and even code matching. Although each of these methods can be used individually, in general you will want to (and, in MENTIS, are able to) combine many or all of them while looking for sensitive data. For each method used, MENTIS will estimate the likelihood that – according to the method in question – your piece of data is sensitive. If multiple methods are used, this will increase accuracy and reduce the number of false positives.

MENTIS also offers an additional discovery method, based on NLP, via the iSecure API. This capability leverages NLP and NER (Named Entity Recognition) based on the spaCy.io library as an additional method for discovering sensitive data. The actual process for this is not dissimilar to using iDiscover: iSecure discovers entities within your data and exports that information to the MENTIS engine, which in turn scores those entities using NLP, as well as other MENTIS methods, as above. iSecure can also be used for masking these entities, but that discussion extends beyond this paper’s remit.

Fig 01 - MENTIS dashboard

In addition to multiple discovery methods, the product also offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of the discovery process are presented via a visual dashboard as seen in Figure 1. Notably, you can drill down into these results to see how and why your data was classified as it was. You can also
see a ‘snapshot’ of the state of your system (see Figure 2) as well as a history of the same.

Fig 02 - System summary in MENTIS

iDiscover supports a wide variety of data sources and formats which now includes unstructured data, although at present this is limited to data located on file servers or accessed via REST APIs. In particular, it does not currently include NoSQL databases. Even so, this is a notable step forward given the inherent difficulty of classifying unstructured data (for which NLP based discovery is particularly useful). For file servers in particular, a file gateway is used to transfer metadata and file data from the server to the MENTIS engine, which converts them to Oracle tables before performing the discovery process as normal.

Whenever possible, MENTIS will discover your sensitive data using an agent. This classifies data where it sits, without needing to bring it inside the MENTIS engine (only metadata is moved). This method is favoured because it is highly performant (MENTIS estimates it as 3-4 times faster than the alternative), scalable and parallelisable, allowing you to scan any number of data sources concurrently and in a federated fashion, while also enabling compliance with corporate policies that restrict unnecessary data movement. Unfortunately, this feature is not universally available, although several data sources, including Oracle and SQL Server, are currently supported.

MENTIS is appealing in part because it is not just a point solution, but a complete data security platform: sensitive data discovery is simply one feature among many. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).

Beyond that, MENTIS’ faculties for discovery and classifying data is its standout feature, even as a platform. For example, the discovery options on offer, such as the ability to introspect code, or to classify data using NLP, are highly advanced and sophisticated. On top of that, MENTIS supports a wide variety of data sources and formats, including relational databases, documents, spreadsheets, flat files, CSV, XML and JSON.

The Bottom Line

MENTIS is a broadly capable data security platform with excellent data discovery capabilities that can now be brought to bear on both structured and unstructured data.

iDiscover profiles and classifies your data into data types, discovering sensitive data as it goes. Several methods are used for classification, including dictionary, pattern, data, and code matching. Any number of these can be applied at once to create an aggregate result and hence minimise false positives. Column sampling is used to minimise runtime, and samples are chosen to maximise coverage (for example, by only containing distinct values). Fuzzy logic is employed to make that sampling as representative of the underlying data as possible. Finally, NLP-based discovery on document data is available through iSecure.

Classification results are stored in a reusable template that is then leveraged throughout the platform. These results (or more accurately, recommendations) come with confidence levels as well as the reasoning that underpins them. If confidence is low, the process can be iterated. Approximately 70 classifications come preconfigured, including classifications compatible with recent legislation, such as GDPR.

iSubset allows you to create subsets across all applications within your database (a horizontal slice) or a single application (a vertical slice). They are taken from cloned copies of your production data, and can be generated based on a variety of parameters, including pattern matching or a user-specified condition, location, or date (including a time slice: for example, the last 100 days).

iScramble provides more than 70 static masking methods data, all of which maintain referential integrity. It can mask data at rest or in-transit, or automatically whenever it enters your system (“as it happens”), and each classification discussed above is equipped with a default masking method that can be applied with little or no manual intervention. Static masking can be employed within the data store itself, meaning you don’t need to move any underlying data in order to mask it, and when you action a masking job, any errors are reported when the job attempts to run but before it is actually executed. This enables you to fix those errors before committing to any part of the job.

iMask, on the other hand, provides dynamic data masking, format preserving encryption and tokenisation, based on user created templates that associate access rules and masking methods with sensitive data. Conditional masking – the ability to mask depending on the context – is also provided, including location-aware masking that uses the physical location of the user as the masking condition, and it can be deployed in different parts of your environment, and using subtly different methodologies, to suit a variety of use cases. iScramble and iMask can be combined to offer concurrent, “blended” static and dynamic masking, as well as “on demand” masking that extracts and stores statically masked data from a dynamically masked data source.

MENTIS also offers synthetic data generation by way of “identities”. Identities are alternate, fake data sets (“universes of data”) derived from your real data. They are created by analysing the distribution of your data and calculating its statistical properties, then generating a new data set out of whole cloth which preserves the properties that you care for. This generated data can then be used as a completely desensitised (but still representative) replacement for your real data, adding noise if appropriate, within your testing environment.

MENTIS’ greatest strength is its best-of-breed, market-leading data discovery. In fact, in our opinion, MENTIS goes further than any other supplier in its facilities for discovering sensitive data. Code introspection and fuzzy logic, for example, are relatively rare discovery features that MENTIS makes excellent use of.

Fig 01 - MENTIS Discovery Dashboard

MENTIS also provides a unified (but modular) location for actioning that discovery. These capabilities are less outstanding than discovery itself – it would be difficult for them not to be – but they are still substantial. Masking, in particular, is effectively automated via the masking methods attached to your classifications by default, although we would prefer if changing those methods was better supported. Identities should also be mentioned as a solution for synthetic data that puts particular (and very much warranted) emphasis on preserving the statistical integrity of your data.

Fig 02 - Catalogue of anonymisation methods in MENTIS

The most recent versions of the MENTIS platform have also introduced significant performance improvements, as well as a new, much enhanced web UI that includes visualisations, wizards, dashboards (see Figure 1), and a particularly neat “masking method handbook” (Figure 2) that make the whole thing very easy to comprehend and work with.

The Bottom Line

MENTIS is a broadly capable data security platform (and consequently a formidable test data management solution) that offers notably excellent data discovery as well as highly capable static and dynamic data masking, subsetting, and synthetic data generation. If you’re struggling to find and protect your sensitive data – whether in a testing context or more generally – you should be looking at MENTIS.