The unseen privacy crisis
Paul Vallely
22/01/2008

During the past several years, the issue of the inappropriate and unlawful use of private consumer data, including identity and credit information, has become a national crisis. It is commonplace to see media reports of confidential consumer information leaked or stolen from financial institutions, mortgage and real estate businesses and a bevy of others. Compounding this problem is the continued explosion in web-based e-commerce applications that routinely contain social security numbers, birth dates, addresses and credit card information. From major retailers to the local shoe store, confidential data is being hacked, stolen, compromised or simply lost.

Because of the critical nature of this problem, a considerable amount of legislation – including the Sarbanes-Oxley Act, HIPAA and the Gramm-Leach-Bliley Act – was passed to, among other things, govern how organisations protect confidential data. Unfortunately, most of the attention is focused on protecting “production” data or data already in use in established software applications. While protecting production data is indeed significantly important, another aspect of data privacy – the protection of data used during the development and testing of software applications – is equally important but has regrettably received much less attention.

“The greater the value or usefulness of data outside of an organisation, the more likely it is that someone will try to steal it. If the data can be sold, then it clearly has economic significance. If it can be used for competitive advantage, then it has an indirect economic significance,” according to Gartner’s report entitled Understanding Data Leakage. “However, information doesn't have to be economically valuable to be of high interest to outsiders — it can also have social or political significance that would be harmful to the organisation if the information became available to someone motivated to publicise it or use it for blackmail."

Few people outside of the IT industry give much thought to how applications are tested. Most assume organisations fully test their applications prior to putting them into operation. While this is increasingly the case, demonstrated by the fact that automated testing is one of the largest segments of the application development market, it is more common for organisations to deploy recently developed applications and then test them at a testing facility or system integrators site. In the majority of situations, currently active customer data is used to test these applications.

Using live customer data to test applications is a potential disaster waiting to happen. While organisations may think their test data is immune from privacy threats because testing occurs in a non-production environment, the fact is that test data is typically a copy or subset of production data. Test environments are less secure and can expose critical data to a variety of unauthorised sources, including in-house testing staff, consultants, partners, and support personnel. Compounding this problem is the fact that an increasing amount of software testing is now outsourced to independent testing firms, many of which are offshore. This exposes organisations – and their customers, employees and vendors – to substantial risk, liability and public disgrace.

Protecting your sensitive data is crucial, but it can be difficult for a variety reasons. The data may be dispersed on many platforms and be very complex. No one in the organisation may have ownership for the process, or you may not be able to interpret the compliance regulations. Because of these challenges, a one-size-fits-all approach cannot be used for all data privacy issues. However, protecting this sensitive data is vital.

What can organisations do about this pending crisis? The first step is to recognise that this is in fact a problem. All of the media attention that has resulted from the inappropriate and unlawful use of private consumer data has begun to increase awareness. Companies around the globe are now recognising that they are putting themselves and their customers, employees, and business partners at serious risk.

Second, IT needs to understand that they are also at risk and that they must research and adopt best practices and processes to ensure the data they use to test their applications remains confidential. For new development, this begins at the Requirements stage. For existing applications, this involves masking and disguising potentially sensitive data before releasing it for use in testing. In all situations, the processes need to be documented so that an organisation can demonstrate compliance.

Third, companies need to mandate their development partners and outsourcers rigorously adhere to a set of policies that eliminate the use of live sensitive data during the testing process. More and more software testing is outsourced with many of the outsourcers located offshore. This serious risk is best managed by implementing documented processes and compliance auditing.
 
Finally, companies at risk need to consider technological answers to meet this challenge. Technology tools designed to transform or mask sensitive or confidential data without diminishing the validity of that data set for testing purposes can eliminate the organisation’s risk without inhibiting a thorough and accurate testing process.

Testing is a mandatory step for ensuring that today’s applications work as intended. As more organisations recognise the risk of using live data, and that there are proven steps for masking and protecting this data, the unseen privacy crisis can be averted.

- Paul Vallely, Solution Sales Director, Test Data Privacy, Compuware.

advertisement