MENTIS

As well as having a direct salesforce, Mentis views partnerships as a strategic priority and it has existing partnerships with leading global systems integrators, several regional resellers in EMEA and Latin America, and also product and technology OEMs.

MENTIS does not focus on any particular verticals since, especially under compliance regimes such as GDPR, the security and privacy of your data applies to all sorts of verticals. Historically, the company’s main customer base has been concentrated on leading institutions and Fortune 500 companies within the United States but, in 2017, it started to expand into Europe and gained some notable wins, including one of the leading Swiss banks and a leading credit scoring company headquartered the in UK.

iDiscover is the MENTIS suite’s solution for data discovery allowing you to discover data across a wide variety of data sources and formats, including big data. It also offers several distinct methods for classifying data. For example, matching known column and table names against a data dictionary, pattern matching, classification of discovered data by comparing it to known data, by validating it against rules particular to each data type, and even by examining underlying database and application code.

iScramble allows you to apply a variety of masking methods to your data while maintaining referential integrity. Data can be masked where it is stored and updated in place or you can mask data in-transit while files are being transferred between systems, and there is also an “as it happens” option based on triggering masking when new data is added. iScramble can also be combined with iMask for a combination of static and dynamic masking. Unlike static data masking, dynamic data masking applies masking rules to data as it is accessed, depending on the privileges of the user or program attempting to access it. A major feature is that you can apply conditional masking, the ability to mask – or mask in a certain way – depending on the context. This may be combined with location-aware masking, which is the ability to mask data (or not) depending on the physical location of the user or program attempting to access it. iMask also supports encryption and tokenisation as well as masking per se. It works by allowing you to create masking templates consisting of masking rules and associated data and metadata. Deployment can be via a proxy server, or file server, or embedded in a database or application.

MENTIS uses iMonitor to provide monitoring, complete with a decision and alerting engine. This leverages template schemas, generated by iDiscover (if you’re using it) during the discovery process, to monitor the different data types within your system. In particular, it provides user activity monitoring that tracks user logins and connections to your various data sources and statements: monitoring logs, programs, and data being accessed, in near real-time. Finally, iRetire is a data retention product within the MENTIS suite that specialises in retiring your data: archiving it (tokenised) or otherwise removing it from your system at the end of its lifecycle. It leverages the same template schemas – again generated by iDiscover – as iMonitor, allowing you to create data retention rules that act on pre-specified tables and columns within your database (potentially with added conditions, such as a user ID) to retire the data contained within them.

All the MENTIS products are implemented using an Oracle database (hosted on-premises) with a Tomcat application server and agents running on relevant databases and file servers (either on-premises or in the cloud). The engine doesn’t store any data (and, in particular, sensitive data) in and of itself, but it does hold metadata. Both structured and unstructured data are supported. In fact, one of the biggest advantages offered by MENTIS is the ability to handle a wide range of data – on-premises, in-cloud, structured, and unstructured – consistently and within the same platform.

MENTIS has a best practice based implementation methodology called MENTIS 3-D (define, design, and deliver). Service focus is on customer success and enablement in the form of flexible implementation models and training. These are provided both by the company and its partners.

MENTIS products are available via perpetual license, subscription, or as a service. In the latter case, pricing is determined strictly by the number of production instances you would like to deploy, the type of databases that are in scope for your solution, and, of course, the products that you would like to use. You can have as many non-production instances running as you like without extra charge. This pricing model is structured so that it is viable for any scale of deployment, whether it’s enterprise-wide, or isolated to a handful of critical applications.

iDiscover profiles and classifies your data. In doing so, it discovers the sensitive data within your system, as well as the users and programs that have access to that data. Notably, it offers several distinct methods for data discovery, including dictionary matching, pattern matching, data matching and even code matching. Although each of these methods can be used individually, in general you will want to (and, in MENTIS, are able to) combine many or all of them while looking for sensitive data. For each method used, MENTIS will estimate the likelihood that – according to the method in question – your piece of data is sensitive. If multiple methods are used, this will increase accuracy and reduce the number of false positives.

MENTIS also offers an additional discovery method, based on NLP, via the iSecure API. This capability leverages NLP and NER (Named Entity Recognition) based on the spaCy.io library as an additional method for discovering sensitive data. The actual process for this is not dissimilar to using iDiscover: iSecure discovers entities within your data and exports that information to the MENTIS engine, which in turn scores those entities using NLP, as well as other MENTIS methods, as above. iSecure can also be used for masking these entities, but that discussion extends beyond this paper’s remit.

Fig 01 - MENTIS dashboard

In addition to multiple discovery methods, the product also offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of the discovery process are presented via a visual dashboard as seen in Figure 1. Notably, you can drill down into these results to see how and why your data was classified as it was. You can also
see a ‘snapshot’ of the state of your system (see Figure 2) as well as a history of the same.

Fig 02 - System summary in MENTIS

iDiscover supports a wide variety of data sources and formats which now includes unstructured data, although at present this is limited to data located on file servers or accessed via REST APIs. In particular, it does not currently include NoSQL databases. Even so, this is a notable step forward given the inherent difficulty of classifying unstructured data (for which NLP based discovery is particularly useful). For file servers in particular, a file gateway is used to transfer metadata and file data from the server to the MENTIS engine, which converts them to Oracle tables before performing the discovery process as normal.

Whenever possible, MENTIS will discover your sensitive data using an agent. This classifies data where it sits, without needing to bring it inside the MENTIS engine (only metadata is moved). This method is favoured because it is highly performant (MENTIS estimates it as 3-4 times faster than the alternative), scalable and parallelisable, allowing you to scan any number of data sources concurrently and in a federated fashion, while also enabling compliance with corporate policies that restrict unnecessary data movement. Unfortunately, this feature is not universally available, although several data sources, including Oracle and SQL Server, are currently supported.

MENTIS is appealing in part because it is not just a point solution, but a complete data security platform: sensitive data discovery is simply one feature among many. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).

Beyond that, MENTIS’ faculties for discovery and classifying data is its standout feature, even as a platform. For example, the discovery options on offer, such as the ability to introspect code, or to classify data using NLP, are highly advanced and sophisticated. On top of that, MENTIS supports a wide variety of data sources and formats, including relational databases, documents, spreadsheets, flat files, CSV, XML and JSON.

The Bottom Line

MENTIS is a broadly capable data security platform with excellent data discovery capabilities that can now be brought to bear on both structured and unstructured data.

iDiscover profiles your data and classifies it into data types. In doing so, it discovers the sensitive data within your system (notably, it also discovers the users and programs who have access to that data). It works across a wide variety of data sources and formats, and offers several distinct methods for classification. This includes dictionary matching, pattern matching, data matching and even code matching. Multiple methods can be applied to a single piece of data, in which case the results for each method will be amalgamated to determine its data type. When discovering data, the product offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of data classification are presented visually, and can be filtered or drilled down into to view more detail. Finally, iDiscover stores the results of the discovery process in a reusable template that is then leveraged throughout the MENTIS platform.

Figure 1 – The landing page in MENTIS iDiscover

As its name implies, iSubset provides a subset-based approach to generating test data. You can create subsets across all applications within your database (a horizontal slice) or a single application only (a vertical slice). Subsets are taken from a cloned copy of your production data, and can be generated based on a variety of parameters, including pattern matching, a specific (user specified) condition, location, or date (including a time slice – for example, the last 100 days).

iScramble allows you to apply more than 50 different masking methods to your data while maintaining referential integrity. It can mask data that is either at rest or in-transit, and there is also an “as it happens” option that masks new data as it is added to your system. iScramble can be combined with iMask for a combination of concurrent, “blended” static and dynamic masking, as well as “on demand” masking that extracts and stores statically masked data from a dynamically masked data source. iScramble also provides an open API for integrating with existing processes and environments.

Figure 2 – Masking data in MENTIS iScramble

iMask provides dynamic data masking, format preserving encryption and tokenisation. Masking is based on user created templates that associate access rules and masking methods with sensitive data. Conditional masking – the ability to mask depending on the context – is also offered. This includes location-aware masking, that uses the physical location of the user as the masking condition.

iScramble and iMask also offer synthetic data generation, in the form of ‘identities’. Identities are essentially alternate, false datasets, derived from and similar to (but distinct from) your real data, which can be located in either an internal or external repository for this purpose. Identities can then be leveraged to create synthetic datasets, which can themselves be used either instead of or in addition to data subsetting and data masking.

There are a number of reasons MENTIS is appealing as a test data management solution. The first is that it is, in actuality, much more than a test data management solution. Rather, it is a complete data security platform that offers test data management capabilities. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those uses cases as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).

Past that, it’s fair to say that MENTIS’ greatest strength is its data discovery solution, iDiscover. In fact, in our opinion, MENTIS goes further than any other supplier in its facilities for discovering sensitive data. For example, in addition to pattern recognition and similar profiling capabilities, the software has the ability to introspect code – for instance, business rules written in SQL – that may identify sensitive data. Very few test data management products have this capability. In short, the discovery capabilities offered by MENTIS are excellent, and market leading. This is especially important given the growing role of discovery in the test data management process, particularly when it comes to large organisations and big data. MENTIS’ capabilities in regards to the latter will be further enhanced by its forthcoming support for Hadoop.

The Bottom Line

MENTIS is a broadly capable data security platform and test data management solution. It provides excellent, comprehensive data discovery capabilities as well as flexible static data masking that can be utilised in several different ways (notably, in conjunction with dynamic data masking). If you are interested in achieving test data management via subsetting, MENTIS should definitely be on your shortlist.