IT Compliance Institute, February 21, 2006:

Expert Q&A

Tangling with Test Data

Do your developers choose their own test data? Since 70 percent of data thefts are inside jobs, you can't assume that any visible information in your company is safe or even private. Companies need a strategy for obscuring—or just faking—sensitive data for use in testing environments.

By Mathew Schwartz

Do your developers use real, sensitive customer information to test the applications they build?

Doing so is a security risk. Experts recommend companies restrict access to all personally identifiable information—including social security numbers, credit card information, medical details, and bank account information—on a need-to-know basis. Developers don’t qualify.

One alternative: obfuscating information before it goes to developers. To discuss this, we speak with Compuware’s Janette Lollo, the worldwide sales director for file and data management, and Jim Wyne, the worldwide field technical support director.

In a test environment, how do organizations currently protect sensitive information?

Lollo: First off, they could be doing nothing: just handing over production data. Or they could be having employees sign non-disclosures. In Europe, that is still a common practice, and it just shifts responsibility to employees.

Then we have some companies restricting access, so employees no longer have access to production data. Others may use some form of de-identifying by Xing out sensitive fields. So there are a number of ways, but you’re either doing it or not doing it.

Are regulations directly driving the use of data-masking technologies?

The laws are somewhat ambiguous, and companies need to interpret those and figure out, “What does that mean?” And it’s the same thing in Australia and in the European Union, with personal data protection and all those laws. It’s up to the company to determine how to protect information. At every organization we talk to, they say, “We have a committee and it’s their job to ensure that ultimately we meet [all external] requirements.”

Beyond regulations, are companies driven to adopt such technology just by the threat of data theft?

According to the Ponemon Institute, 39 percent of data losses are non-malicious, and 30 percent are malicious. Then Gartner states 70 percent [of data thefts] are inside jobs. When you see those statistics, companies start saying, maybe a nondisclosure isn’t good enough anymore.

Wyne: I think companies procrastinate if it’s just a regulation, but when an auditor comes in or their name is in the paper, they get proactive.

Lollo: Our proposal is, we can help companies protect production data that’s used in a test environment. But quite frankly the same tools and methodologies, the same processes and procedures, are used no matter what you do with that data once it’s pulled from production. For example, we have one customer disguising production data they send to a third party to do research on—for drug research—or [others do that for] internal reporting, or outsourcing IT development or support. So it’s anytime you need to send data, or get [an outsourcer] to test data or applications. Basically, wherever data needs to be disguised.

Are most companies aware of the need to disguise information?

Analysts tell us customers are having difficulty with…which applications do you start with, and what are the key elements that need to be disguised. If someone in a test environment had that data, and they were using it for testing purposes, and they could now see a name matched up to a social security number, or medical information, then there’s a lot of exposure there.

Where can companies get data obfuscation tools?

We’ve seen everything from consulting companies saying this is a service, and we’ll come and figure it out, to companies offering some various encryption routines that [provide] the functionality, but which are in many cases data-type- or platformspecific.

How can your product obscure information?

Wyne: Aging, encryption, translation. We can also generate data…and we can certainly mask part of the field. You don’t want to see the whole field, just parts of it.

Lollo: [That’s important because]…products that use encryption for everything—typically in a production environment—can…[result in] meaningless data for the end user. Or it might cause an application to not run.

What about just generating good enough, yet fake, data?

Believe it or not, that’s a popular method, because if you have 20 fields to disguise, disguising it may be more of an effort than just generating it.

Has data obfuscation technology been adopted in any industry in particular?

What we’re seeing, quite frankly, is [it being used for] organizations that have the highest risk of sensitive information being exposed: banks and financial institutions, insurance companies, healthcare companies, and in some cases retail, [for] credit card information.

Who inside companies drives the data-protection initiative?

The CSO or CISO, or chief compliance officer, or a risk management officer—someone who has identified that there is a hole, a gap that needs to be filled. Then it’s just a question of who’s going to do it, and in many cases we’ve seen organizations create communities of excellence.

Then the people who actually use our technology could be a much lower-level person in the organization—a DBA or developer, someone who has the technical abilities…. We’ve seen different things.

Who actually takes responsibility for providing usable test data?

[That needs] to be done by a central group in charge of data security, or at least a manager or someone at a product-leader level. Different companies implement [this] differently….

Do organizations already have such a function in place, or does having these tools drive its creation?

It can be eye opening that companies need to create that position, a data czar. Because you don’t want to put the data in the hands of developers—they don’t want to have to deal with that.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.