When HM Revenue & Customs revealed in November 2007 that it had lost 25 million records, the profile of data breaches exploded. Since that day, we have seen countless organizations, both in the public and private sector, losing sensitive data, whether it is through leaving a laptop on a train or through being subject to an external hack.
With breaches still regularly occurring today, it seems clear that many organizations still refuse to take the necessary precautions to secure their data, despite the fact there are plenty of solutions available to enable this.
[login]The failings of HMRC certainly saw the topic of security moving higher up both CIOs’ and CEOs’ agendas, and there was an increased push to secure customer data. However, has enough been done to ensure this information remains secure? Is an extra firewall or a new layer of encryption technology enough to ensure that another organization does not suffer similar embarrassment to its customers? It is clear that the answer is no.
Today’s unprecedented rate of change requires business agility and faster time-to-market, whether it involves introducing new products and services or in response to mergers and acquisitions. The only effective way to ensure IT systems are still operating at full capacity after any change to the business is through application testing using realistic data. A recent survey by Micro Focus and the Ponemon Institute indicates that the root cause to many data breaches is due to the use of live data in testing and development.
The survey, conducted amongst 1,350 IT practitioners in companies with revenues from $10 million to over $20 billion, looked at data security trends in testing and development. Two thirds of all respondents experience change on a weekly basis with a further quarter declaring this takes place at least monthly. To be absolutely sure that IT systems are fully functional in production, the vast majority of surveyed organizations use live production data, such as customer records, employee records, credit cards and other business confidential information, in the testing process.
This may raise a few eyebrows, but as long as the right security techniques are in place, organizations have nothing to worry about. They will be very aware of the risks of data breaches, due to their high exposure in the press, so surely they do not want to fall foul to one, right? Wrong.
The survey went on to reveal that over two thirds (70%) of companies do not have the measures in place to mask this live data during development and testing. This alarming statistic is made even more staggering by the fact that over three quarters (79%) of all organizations have experienced a data breach in the last 12 months. Despite having their fingers burned once already this year, they are still putting their customers and their own information and reputation at stake by leaving themselves liable to another breach, for the majority, on a weekly basis. The risk is intensified by the unmanageable sizes of data being tested. Three-quarters of respondents confirmed they use test data files that are larger than one terabyte, with some testing more than 50 terabytes of test data.
To give an example of the potential cost that could be incurred by a data breach, a recent study by the Ponemon Institute revealed that each record that is lost or stolen costs an organization an average of $202. In today’s economic climate, this is a penalty no business can afford to experience.
Secure and Realistic Testing
So the question that needs to be asked is how can organizations mitigate this risk and guarantee their data is watertight during development and testing? To guarantee secure and realistic testing, businesses should implement an automated and repeatable test data management process. First, realistic testing requires realistic data — so, they must begin by accessing relational and hierarchical databases and other data stores from the mainframe and distributed systems. Next, this test data should be subsetted both to make it more manageable and to reduce data storage and test execution costs.
Following this stage, organizations must ensure that this process conceals private data within test data sets to adhere to data privacy regulations and eliminate the risk of data breaches. With a better test data management process, companies can accelerate and lower the cost of testing of high quality applications. At the same time, they avoid the loss of goodwill, costly penalties, and regulatory non-compliance stemming from data breaches.
In March 2009, Joseph Feiman, research VP and Gartner Fellow, confirmed the capabilityof data masking, stating “Data masking raises enterprises’ security and privacy assurance against insiders’ abuses and helps enterprises to be compliant with data-centric regulations… [It] is an integral part of software life cycle (SLC) processes.”
As businesses strive to achieve growth in the toughest recession for 100 years, they need to guarantee they are looking after the information they already possess. Testing is always going to be an integral part of a company’s development — the study above showed just how often this process has to take place. CIOs need to establish a firm data protection strategy for the production environment as well as for the use of live data in testing and application development. And the assessment and implementation of these masking and subsetting techniques need to be an integral part of this. Cutting corners leaves organizations everywhere vulnerable to a major data leak, an event that could cause irreparable damage to a company’s database and reputation.