Stacks of statistics from many sources share a common theme - growth rates for digital information are extremely high and undeniable. A tsunami of e-information is fueling the engine of today's corporate enterprise, and many businesses are aiming to ride the information wave to prosperity.
However, many companies are not sufficiently attentive to all the potential liabilities lurking in the depths of this digital information, including the risks involved in using real, live personal customer and employee data for application development and testing purposes. There's real potential for serious data security, legal and noncompliance risks when businesses fail to protect this data.
Picture this scenario: A retailer offers an incentive whereby preferred customers (those holding store-branded credit cards) get $10 off a purchase of $100 or more. In an effort to clear inventory the week after Christmas, this retailer wants to offer a special sale, modifying the offer to $20 off a purchase of $100 or more. The retailer wants the point-of-sale system to automatically alert in-store clerks when eligible card-holding customers are standing before them.
The IT team needs to test this modification to its existing application and uses real live production data-customers' card information. There's no malicious intent-all IT wants to do is shorten time-to-market for an application modification, and ensure that it works properly. But in using real customer data, IT may have failed to comply with legislation protecting personal information, including strict customer disclosure and notification requirements. And, if this data fell into the wrong hands, it could be a huge violation of ethics and trust impacting the retailer's most loyal and regular customers.
Why Is the Need for Test Data Privacy Often Ignored?
Within an organization's overall information security initiative, why is the need to protect test data often overlooked? In many cases it's a financial risk-based decision, and security professionals believe they can assume the risk. But can they?
Data breaches - even those that are unintentional - can be very costly. Globally, the average cost of a breach has risen to $3.43 million - an average of $142 per lost record, according to the Ponemon Institute. It can cost banks $150 or more to attract a new customer, according to Javelin Strategy and Research.
Still, failure to adequately protect test data is a far too rampant and reckless practice among many businesses today. Using customer, employee, or other confidential data straight from production for testing or developing applications can result in violation of data privacy laws and regulations and make that data vulnerable to attacks. Data privacy is not just a concern for production systems; it extends to nonproduction environments, too, including test, development, quality assurance (QA), staging, and training databases - wherever private data resides. Although many database administrators (DBAs) and security and risk professionals are revisiting security policies for test data, many are still not securing this data properly.
A Needed Wake-Up Call for Security Professionals
Application developers depend on fast, reliable access to test data to get new and modified applications to market faster. From the perspectives of budget, timeline and accuracy of results, it often seems like the most efficient way to do this is to use real production data (versus using manually created, incomplete dummy data) when testing an application.
However, certain trends are driving greater awareness for the need for test data privacy:
- First is the increasingly common practice of outsourcing software and application development. According to one recent international survey, 70% of the U.S. businesses polled stated they send real data to third-party organizations for development and testing.
- Second is the increasing number of industry- and region-specific data protection mandates, including HIPAA in healthcare, the Payment Card Industry (PCI) Data Security Standard in retail, Sarbanes-Oxley, the Irish Data Protection Act, and the EU. Industry-specific mandates impose stringent rules regarding the handling and protection of personally identifiable information. If you send data to a particular region as part of an application development or testing initiative, region-specific mandates for data protection must be considered and addressed.
- Finally, there's the ever-looming threat of breaches from within, as well as nonmalicious data leaks on the part of employees - consider a parent who unintentionally leaves an open laptop at a soccer game, for example.
Test Data Privacy Initiatives Incorporate Data Masking
Companies are increasingly recognizing the value of data masking technologies in preventing security and privacy breaches and in meeting regulatory and other compliance requirements for data protection. Static data masking is the most common type of masking used to protect data at rest, like test data for application development. Static data masking leverages various techniques such as translation, substituting data with random characters, or altering all numbers by a certain percentage in order to disguise data.
To date, static data masking decisions at many companies have been tactical and opportunistic. But as changes to applications are nearly constant and as privacy legislation continues to evolve, companies need a more strategic approach that addresses the full software lifecycle. Static data masking is not and should not be a "one-off" type of initiative.
Test data privacy solutions have evolved as an answer to give IT - specifically application testers and QA professionals - the latitude it needs to test and modify more applications faster and with greater accuracy, while granting security professionals complete control over how test data is disguised. Security professionals also have peace of mind knowing that sensitive test data, which may include birth dates, credit card numbers and Social Security numbers, is protected.
Key Attributes of Test Data Privacy Solutions Include the Following:
- They are roles-based, which means they customize permission levels for various functions such as administration, disguise and monitor, based on the role of the user. Security professionals - compliance officers, risk managers and others - define the rules by which various data types are protected. This is very important because security professionals are the best-qualified to determine what data needs to be protected and how.
- They offer an industry-standard interface from which to mask data wherever it exists across the enterprise, whether on mainframes, distributed systems, or laptops. By leveraging a consistent, easy-to-use interface, these solutions give security professionals faster, easier and more direct involvement in safeguarding data. With quicker, safer access to test data, development teams can better stick to their timeline and stay on schedule, resulting in a more beneficial collaboration between compliance and IT.
- They feature a central rules repository to manage all rules, offering various types of data masking based on the characteristics of the data. Once rules are set by security professionals, they are then stored in the central repository and produce consistent data disguise results when applied to different types of data and fields of different data types and lengths. The rules are accessed when application testers and QA professionals extract sets of test data, thereby lessening the burden on IT.
Incorporating Privacy Into Overall Application Testing Lifecycles
As a final note, when implementing a test data privacy solution, it can be helpful to work with consultants who have direct data security experience and credentials in order that they may train and guide other security professionals.
Test data privacy must be incorporated into businesses' overall application testing lifecycles. This fosters greater collaboration between security and IT professionals, by getting everyone on the same page in terms of timelines and schedules. But perhaps most importantly, ensuring test data privacy can be a relatively easy, cost-efficient way to deliver high-quality, adaptable business applications quickly, while minimizing data security risks and taking people - IT, security professionals, and customers - out of harm's way.