Application Testing - a gaping hole in enterprise data protection efforts
Huw Price suggests that data masking, where sensitive information is obscured by realistic but not authentic data, is an effective way to protect data in the application testing process, thus improving overall data security.
Huw Price, VP Application Delivery, CA Technologies
There's no doubt that data breaches are on the rise. Recurring high-profile hacks and embarrassing, large-scale data leaks underline that the possibility of one's data being stolen or misused is often just a matter of time. It's a message that hits home; organisations are spending increasingly large portions of their IT budgets on protecting data. Recent research from Vanson Bourne, sponsored by CA Technologies, showed that 24 percent of all IT spending will be devoted to security in the next three years, up from 17 percent today, and showed that protecting against security breaches is a number one priority for UK enterprises.
At the same time, UK companies now operate in the application economy, where a business' fortunes are inextricably bound together with its applications. It's an environment in which applications make the difference between growth and stagnation, success and failure. Yet, with all the emphasis on data protection, are organisations paying enough attention to what happens to sensitive data during the application testing process?
Many companies still use copies of live production data in testing environments, which often lack appropriate security measures or are outsourced to a third party provider, without any control over how the data is handled, what happens to it once testing is completed or what levels of protection are applied. This means that application testing can be, and in fact often is, a gaping hole in an organisation's data protection efforts.
A breach of this test data can have serious consequences – production data contains sensitive, often identifiable information and a leak can be costly not only on the financial but also reputational front. It's clear then that organisations that don't take adequate steps to control the application testing process are putting their customers and employees at risk. Yet, there are several simple ways in which companies can protect testing data, and thus improve their overall data security.
One of the most common approaches to protecting test data is data masking, where sensitive information is obscured by realistic but not authentic data. Obscuring data can be done in a number of ways – it may involve encryption, word substitution or character shuffling. While effective for minimising the consequences of a data breach, this method will usually retain some information from the original data (such as temporal or causal relationships) and does not overcome human error. Companies that handle large amounts of very sensitive data may want to seek alternative approaches.
One such approach is data sub-setting. If performed effectively, this method offers several benefits, such as reduced infrastructure costs and demonstrable compliance with legislation. The idea being that, rather than storing massive copies of production data, this method provisions smaller subsets. Each of those subsets is then additionally masked, so the likelihood that they contain sensitive information is very limited, thus giving companies increased peace of mind when it comes to data protection.
For organisations seeking to boost their test data security even further, synthetic data generation is an excellent way of ensuring that sensitive data is protected across the whole application-development and delivery cycle. It's a simple and safe solution, where synthetic data is generated as a simulation of live data. It eliminates the presence of personal data in non-production environments so that sensitive information doesn't get into the wrong hands, thereby mitigating the costs and risks associated with regulatory compliance violations – all while providing the data needed for rigorous testing.
Today's application economy presents a truly wide range of opportunities for organisations to reach and understand their customers and offer services that better suit their needs. But to fully make use of those opportunities, organisations must ensure their data protection efforts start and end at the heart of this new economic reality - the application and the application testing cycle.
Contributed by Huw Price, VP application delivery, CA Technologies