Test data privacy – Why should you care?
Melissa Stevens 270005B76W MELISSAS@US.IBM.COM | | Tags:  data-security security privacy ibmsecurity data-governance
0 Comments | 4,389 Visits
This post is contributed by Kim Madia, World Wide Product Marketing Manager for Infosphere.
IOUG recently published an interesting study on how data is used and shared internally and externally. The report, Testing the bounds of Data Governance, surveyed 207 IT and data executives. Respondents report their organizations are behind the curve when it comes to managing the risks of exposing live data to less secure settings including development departments and outside contractors. The respondents were concerned that third parties might not follow best practices of keep confidential safe, and they worried that they might be in violation of regulations which require protection of data no matter where it resides.
The bottom line is organizations are under mounting pressure to deliver more functionality faster. Thus they are forced to make trade offs. Most ignore the risks inherent in sending data out of what may be a secure production environment to development teams—both internal and external— who may not adhere to security best practices. According to one respondent in the IOUG survey, a DBA with a large transportation organization:“Data in test environments is at a much higher risk because more people access the data and the firewall protection is less compared to production.”
An article in “Database Trends and Applications” supports this analysis. Using sensitive production data for non-production purposes such as test, development, QA, staging and training, may be desirable at first. It is easy to create a production copy, it doesn’t require highly skilled resources and it makes testers happy because they have realistic data to test with. However, this makes security professionals nervous. One security expert stated “Copying production data is too rampant and reckless.” Think about what data may be unprotected when you copy production data - customer, employee, revenue, corporate intelligence and confidential data, to name a few types.
Data privacy is not just a concern for production systems; it extends to nonproduction environments especially when this work is outsourced. Database administrators (DBAs) and security and risk professionals need to revisit security policies for test data. Most regulation such as HIPAA and PCI DSS require protection of data no matter where it resides across the enterprise. Ask yourself – Where is my sensitive data copied or cloned? What sensitive data I am sending to third parties? Is the security level the same across all my enterprise databases?
There is help. Many organizations are recognizing the value of data masking to prevent security and privacy breaches and to meet regulatory requirements. Static data masking is the most common type of masking used to protect data at rest, like test data for application development. Static data masking leverages various techniques such as string literal values, character substrings & concatenation, random or sequential numbers, arithmetic expressions or look up values.
To date, static data masking decisions at many organizations have been tactical and reactionary. But as changes to applications are nearly constant and as privacy legislation continues to evolve, a more strategic approach is imperative. Static data masking should be tied to an overall data governance strategy.
To learn more about data masking, IBM recommends this report from Securosis.
To learn more about IBM’s data masking solution, InfoSphere Optim Data Masking, please click here.