Data Obfuscation for Test Environments

Member Submitted
Testers need to know about the legal issues surrounding test data. This paper introduces several of the techniques used to protect test data from security breaches. These techniques are valuable to know whether you create test data or if your test data is created by someone else.

Sixty percent (60%) of data breaches are initiated by insiders or are a result of organizational mismanagement, according to a recent report 1. About one-third of data breaches are from hackers.

Accordingly, governments have been creating regulations for years imposing penalties on companies that have data breaches. Civil litigation further exposes companies to financial risk of not protecting sensitive information.

To curb these problems, businesses have focused on protecting the perimeter of systems to keep outsiders at bay. But what about protecting test environments. Hackers typically do not target test environments, but disgruntled insiders often do. Using production data in test environments provides hundreds or even thousands of employees and contractors working onsite, offsite, and offshore with access to your sensitive production data.

Sensitive data in non-production environments is rarely held to the same security standards as production data. The inability to protect sensitive data in test environments keeps many companies from leveraging the cost savings of outsourcing and offshoring.

Most of the high-profile and notorious data thefts reported in the news and trade publications are breaches of production systems. Outsiders hack their way into a production system, storage media is lost or stolen (or in one high-profile case tapes literally fell off a truck), laptops are lost or stolen, or other lapses occur in corporate security for production systems. While enterprise data protection is critical, organizations must pay heed to the alarming number of internal security threats such as those occurring during development and testing of applications.

This whitepaper focuses exclusively on protecting sensitive data in test environments.

Government and Industry Regulations
Government Oversight

Many countries have laws and/or regulations to protect the private information of citizens.

The US Gramm-Leach-Bliley Act 2 requires the protection of personal consumer information, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 3 has requirements to protect personal information, and the Right to Financial Privacy Act of 1978 4 requires protection of financial records. Several US states have enacted additional regulations above and beyond these federal measures. For example, California's SB 1386 7 requires companies to notify customers of data breaches. This model legislation is being pursued in several other states.

European nations are also taking a stand against data theft European Union Directive 95/46/EC 5 outlines strict guidelines on protecting individual private data and describes the responsibilities of data holders to shield from misuse. The United Kingdom Data Protection Act of 1998 6 extends the EU directive while placing greater legal obligations on those storing personal, private or sensitive data.

Industry Oversight
Industry oversights complement and extend the effectiveness of government regulations. The Payment Card Industry Data Security Standard (PCI DSS), for example, is a comprehensive standard to help organizations proactively protect customer account data 8. Compliance is not mandatory but companies accepting credit cards or processing credit card transactions must comply in order to do business with the five major credit card payment networks American Express, Master Card Worldwide, Visa, Inc., Discover Financial Services, and Japan Credit Bureau (JCB) 9.

Compliance is audited by the credit card networks and includes an inventory of test facilities 9. Business will need to identify all points where credit card data can enter or leave the company, and examine data reports, log files, servers, e-mail, and file transfers9 all of which take place in test environments. Failing to comply can result in fines being issued by the credit card networks 9.

Sensitive Data in Test Environments?
Should sensitive data be used in test environments? The answer is a resounding no. Test data pulled directly from production is still sensitive


About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.