MENTIS
Last Updated:
Analyst Coverage: Philip Howard and Daniel Howard
MENTIS Software is a technology company specialising in data and application security. The company was founded more than a decade ago and it released its first product – what is now iScramble – in 2004. MENTIS has its headquarters in New York and also has offices in India and the Dominican Republic. The company has more than 50 employees.
Prior to 2017 MENTIS the company had bootstrapped itself and relied entirely on generated revenues. However, in 2017 the company went through a pre-series A round of VC funding. In addition to this, the company started to expand outside of the United States and Canada, gaining some significant customer wins in Europe.
MENTIS
Last Updated: 4th May 2018
MENTIS offers a suite of solutions that protect and secure your data throughout its lifecycle. The platform it offers consists of data discovery, masking (both static and dynamic), monitoring, and finally retirement. Monitoring in this case refers to continuous monitoring, while data retirement is effectively a subset of data retention. Accordingly, MENTIS provides solutions for each stage of this cycle. iDiscover, iMonitor and iRetire handle, as their names imply, discovery, monitoring, and retirement, while iScramble and iMask jointly take care of data masking, providing static and dynamic data masking respectively. MENTIS also offers several ancillary products, including iSubset (data subsetting for test data management environments), iProtect (database firewalls) and iVerify (two factor authentication). Note that the MENTIS suite is entirely modular, and each product can be used by itself or in combination with any number of others. If multiple MENTIS products are deployed together, they can be integrated into a single platform that shares metadata across all of its component products. There are specific integrations provided to work in conjunction with Oracle eBusiness Suite and PeopleSoft, though the MENTIS software itself is application agnostic and works with all leading data sources typically found in an enterprise (IMS and DB2 on the Mainframe, Oracle, DB2, SQL Server, Sybase, MySQL, Big data (Hadoop, Teradata) and files.
As well as having a direct salesforce, Mentis views partnerships as a strategic priority and it has existing partnerships with leading global systems integrators, several regional resellers in EMEA and Latin America, and also product and technology OEMs.
MENTIS does not focus on any particular verticals since, especially under compliance regimes such as GDPR, the security and privacy of your data applies to all sorts of verticals. Historically, the company’s main customer base has been concentrated on leading institutions and Fortune 500 companies within the United States but, in 2017, it started to expand into Europe and gained some notable wins, including one of the leading Swiss banks and a leading credit scoring company headquartered the in UK.
iDiscover is the MENTIS suite’s solution for data discovery allowing you to discover data across a wide variety of data sources and formats, including big data. It also offers several distinct methods for classifying data. For example, matching known column and table names against a data dictionary, pattern matching, classification of discovered data by comparing it to known data, by validating it against rules particular to each data type, and even by examining underlying database and application code.
iScramble allows you to apply a variety of masking methods to your data while maintaining referential integrity. Data can be masked where it is stored and updated in place or you can mask data in-transit while files are being transferred between systems, and there is also an “as it happens” option based on triggering masking when new data is added. iScramble can also be combined with iMask for a combination of static and dynamic masking. Unlike static data masking, dynamic data masking applies masking rules to data as it is accessed, depending on the privileges of the user or program attempting to access it. A major feature is that you can apply conditional masking, the ability to mask – or mask in a certain way – depending on the context. This may be combined with location-aware masking, which is the ability to mask data (or not) depending on the physical location of the user or program attempting to access it. iMask also supports encryption and tokenisation as well as masking per se. It works by allowing you to create masking templates consisting of masking rules and associated data and metadata. Deployment can be via a proxy server, or file server, or embedded in a database or application.
MENTIS uses iMonitor to provide monitoring, complete with a decision and alerting engine. This leverages template schemas, generated by iDiscover (if you’re using it) during the discovery process, to monitor the different data types within your system. In particular, it provides user activity monitoring that tracks user logins and connections to your various data sources and statements: monitoring logs, programs, and data being accessed, in near real-time. Finally, iRetire is a data retention product within the MENTIS suite that specialises in retiring your data: archiving it (tokenised) or otherwise removing it from your system at the end of its lifecycle. It leverages the same template schemas – again generated by iDiscover – as iMonitor, allowing you to create data retention rules that act on pre-specified tables and columns within your database (potentially with added conditions, such as a user ID) to retire the data contained within them.
All the MENTIS products are implemented using an Oracle database (hosted on-premises) with a Tomcat application server and agents running on relevant databases and file servers (either on-premises or in the cloud). The engine doesn’t store any data (and, in particular, sensitive data) in and of itself, but it does hold metadata. Both structured and unstructured data are supported. In fact, one of the biggest advantages offered by MENTIS is the ability to handle a wide range of data – on-premises, in-cloud, structured, and unstructured – consistently and within the same platform.
MENTIS has a best practice based implementation methodology called MENTIS 3-D (define, design, and deliver). Service focus is on customer success and enablement in the form of flexible implementation models and training. These are provided both by the company and its partners.
MENTIS products are available via perpetual license, subscription, or as a service. In the latter case, pricing is determined strictly by the number of production instances you would like to deploy, the type of databases that are in scope for your solution, and, of course, the products that you would like to use. You can have as many non-production instances running as you like without extra charge. This pricing model is structured so that it is viable for any scale of deployment, whether it’s enterprise-wide, or isolated to a handful of critical applications.
MENTIS iDiscover
Last Updated: 21st May 2020
Mutable Award: Gold 2020
MENTIS is a data and application security platform that offers a range of modules that cover all necessary functions for discovering, protecting and monitoring sensitive data, regardless of the use case. For the purposes of this paper, we will be focusing on the sensitive data discovery capabilities MENTIS offers via its iDiscover module. Other modules include iSubset (data subsetting), iScramble (static data masking), iMask (dynamic data masking), iRetire (data retirement) and iMonitor (data monitoring). These modules are all delivered via the MENTIS engine. Each one (including iDiscover) can be used either by itself or with any number of others, and metadata can be freely shared between them.
We will also discuss the complementary discovery capabilities provided by MENTIS’ iSecure API. In contrast to the modules described above, it does not sit within the MENTIS engine; rather, it works in tandem with it to provide NLP (Natural Language Processing) driven data discovery and rules-based anonymisation.
Once MENTIS is deployed, users can interact with it via an application server. The MENTIS engine itself can be hosted on-premises or, if you are running an Oracle agent, in the cloud via Amazon EC2. Regardless, it can integrate with data sources located both on-premises and in the cloud. It includes support for the mainframe, big data, and unstructured data as well as relational data. MENTIS products are available via perpetual license, subscription, or as a service.
Customer Quotes
“We could never have found all the sensitive data locations that were identified by MENTIS discovery... even with 22 years of PeopleSoft application knowledge.”
Fortune 15 US head quartered conglomerate
“MENTIS Sensitive Data Discovery is an incredible solution. The number of false positives is around 10%.
The application it replaced has 85% false positives.”
Top Swiss Bank
iDiscover profiles and classifies your data. In doing so, it discovers the sensitive data within your system, as well as the users and programs that have access to that data. Notably, it offers several distinct methods for data discovery, including dictionary matching, pattern matching, data matching and even code matching. Although each of these methods can be used individually, in general you will want to (and, in MENTIS, are able to) combine many or all of them while looking for sensitive data. For each method used, MENTIS will estimate the likelihood that – according to the method in question – your piece of data is sensitive. If multiple methods are used, this will increase accuracy and reduce the number of false positives.
MENTIS also offers an additional discovery method, based on NLP, via the iSecure API. This capability leverages NLP and NER (Named Entity Recognition) based on the spaCy.io library as an additional method for discovering sensitive data. The actual process for this is not dissimilar to using iDiscover: iSecure discovers entities within your data and exports that information to the MENTIS engine, which in turn scores those entities using NLP, as well as other MENTIS methods, as above. iSecure can also be used for masking these entities, but that discussion extends beyond this paper’s remit.
In addition to multiple discovery methods, the product also offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of the discovery process are presented via a visual dashboard as seen in Figure 1. Notably, you can drill down into these results to see how and why your data was classified as it was. You can also
see a ‘snapshot’ of the state of your system (see Figure 2) as well as a history of the same.
iDiscover supports a wide variety of data sources and formats which now includes unstructured data, although at present this is limited to data located on file servers or accessed via REST APIs. In particular, it does not currently include NoSQL databases. Even so, this is a notable step forward given the inherent difficulty of classifying unstructured data (for which NLP based discovery is particularly useful). For file servers in particular, a file gateway is used to transfer metadata and file data from the server to the MENTIS engine, which converts them to Oracle tables before performing the discovery process as normal.
Whenever possible, MENTIS will discover your sensitive data using an agent. This classifies data where it sits, without needing to bring it inside the MENTIS engine (only metadata is moved). This method is favoured because it is highly performant (MENTIS estimates it as 3-4 times faster than the alternative), scalable and parallelisable, allowing you to scan any number of data sources concurrently and in a federated fashion, while also enabling compliance with corporate policies that restrict unnecessary data movement. Unfortunately, this feature is not universally available, although several data sources, including Oracle and SQL Server, are currently supported.
MENTIS is appealing in part because it is not just a point solution, but a complete data security platform: sensitive data discovery is simply one feature among many. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).
Beyond that, MENTIS’ faculties for discovery and classifying data is its standout feature, even as a platform. For example, the discovery options on offer, such as the ability to introspect code, or to classify data using NLP, are highly advanced and sophisticated. On top of that, MENTIS supports a wide variety of data sources and formats, including relational databases, documents, spreadsheets, flat files, CSV, XML and JSON.
The Bottom Line
MENTIS is a broadly capable data security platform with excellent data discovery capabilities that can now be brought to bear on both structured and unstructured data.
MENTIS Test Data Management
Last Updated: 17th June 2019
MENTIS is a data and application security platform that offers a range of modules that cover all necessary functions for discovering, protecting and monitoring sensitive data, regardless of the use case. For test data management, the most relevant modules are iDiscover, iSubset, and iScramble – used for (sensitive) data discovery, data subsetting, and static data masking respectively – while iMask (dynamic data masking) is complementary. Several other modules are also offered, including iRetire (data retirement) and iMonitor (data monitoring). Each module can be used by itself or in combination with any number of others, and metadata is shared between all modules via the MENTIS platform.
Once MENTIS is deployed, users can interact with it via an application server. The engine itself is hosted on-premises, but it can integrate with data sources located both on-premises and in the cloud, including big data sources such as data lakes. The product supports both structured and unstructured data, and support for Hadoop is due in the first half of 2019. MENTIS products are available via perpetual license, subscription, or as a service.
Customer Quotes
“We could never have found all the sensitive data locations that were identified by MENTIS discovery... even with 22 years of PeopleSoft application knowledge.”</br/>
Fortune 15, US head quartered conglomerate
“MENTIS Sensitive Data Discovery is an incredible solution. The number of false positives is around 10%. The application it replaced has 85% false positives.”</br/>
Top Swiss Bank
iDiscover profiles your data and classifies it into data types. In doing so, it discovers the sensitive data within your system (notably, it also discovers the users and programs who have access to that data). It works across a wide variety of data sources and formats, and offers several distinct methods for classification. This includes dictionary matching, pattern matching, data matching and even code matching. Multiple methods can be applied to a single piece of data, in which case the results for each method will be amalgamated to determine its data type. When discovering data, the product offers a choice of full scans (covering your entire database), sample scans (a selected number of rows) and incremental scans (updated or new tables). The results of data classification are presented visually, and can be filtered or drilled down into to view more detail. Finally, iDiscover stores the results of the discovery process in a reusable template that is then leveraged throughout the MENTIS platform.
As its name implies, iSubset provides a subset-based approach to generating test data. You can create subsets across all applications within your database (a horizontal slice) or a single application only (a vertical slice). Subsets are taken from a cloned copy of your production data, and can be generated based on a variety of parameters, including pattern matching, a specific (user specified) condition, location, or date (including a time slice – for example, the last 100 days).
iScramble allows you to apply more than 50 different masking methods to your data while maintaining referential integrity. It can mask data that is either at rest or in-transit, and there is also an “as it happens” option that masks new data as it is added to your system. iScramble can be combined with iMask for a combination of concurrent, “blended” static and dynamic masking, as well as “on demand” masking that extracts and stores statically masked data from a dynamically masked data source. iScramble also provides an open API for integrating with existing processes and environments.
iMask provides dynamic data masking, format preserving encryption and tokenisation. Masking is based on user created templates that associate access rules and masking methods with sensitive data. Conditional masking – the ability to mask depending on the context – is also offered. This includes location-aware masking, that uses the physical location of the user as the masking condition.
iScramble and iMask also offer synthetic data generation, in the form of ‘identities’. Identities are essentially alternate, false datasets, derived from and similar to (but distinct from) your real data, which can be located in either an internal or external repository for this purpose. Identities can then be leveraged to create synthetic datasets, which can themselves be used either instead of or in addition to data subsetting and data masking.
There are a number of reasons MENTIS is appealing as a test data management solution. The first is that it is, in actuality, much more than a test data management solution. Rather, it is a complete data security platform that offers test data management capabilities. Therefore, if you are interested in data security, data privacy, data retirement (for example, to comply with GDPR) and so on, MENTIS will provide a solution for those uses cases as well. Moreover, the modular nature of the platform means that you only need to license the products that are relevant to your use case(s).
Past that, it’s fair to say that MENTIS’ greatest strength is its data discovery solution, iDiscover. In fact, in our opinion, MENTIS goes further than any other supplier in its facilities for discovering sensitive data. For example, in addition to pattern recognition and similar profiling capabilities, the software has the ability to introspect code – for instance, business rules written in SQL – that may identify sensitive data. Very few test data management products have this capability. In short, the discovery capabilities offered by MENTIS are excellent, and market leading. This is especially important given the growing role of discovery in the test data management process, particularly when it comes to large organisations and big data. MENTIS’ capabilities in regards to the latter will be further enhanced by its forthcoming support for Hadoop.
The Bottom Line
MENTIS is a broadly capable data security platform and test data management solution. It provides excellent, comprehensive data discovery capabilities as well as flexible static data masking that can be utilised in several different ways (notably, in conjunction with dynamic data masking). If you are interested in achieving test data management via subsetting, MENTIS should definitely be on your shortlist.