Any organization with an effective software development lifecycle (SDLC) builds QA and development environments to test new or upgraded systems. Testing, either unit (developer) or user acceptance (UAT), requires data available to the application which looks very close to production data, including construction of all data dependencies. The fastest way to make this happen is to copy production data into the test and development databases. However, perception of the sensitivity of data in these non-production environments is often… well… wrong.
I like to practice data-centric security. This means security controls are about protecting sensitive data and access by critical systems to that data. So if someone moves a customer database, for example, to a development server the data should be protected with the same controls used to protect it in production. Organizations often use a system-centric approach to security, assuming that servers, workstations and data not in the production environment don’t require the same level of trustworthiness.
Research commissioned by enterprise applications vendor Micro Focus and carried out by the Ponemon Institute surveyed 1,350 application development staff at UK and US firms with turnover between $10m (£6.1m) and $20bn-plus.
The past 12 months have seen data breaches at 79 per cent of respondents, with the same amount using live production data in application development and testing. But just 30 per cent of firms mask this data during the process.
Application testing takes place on at least a weekly basis at 64 per cent of companies, with 90 per cent claiming it happens once a month or more. A mere seven per cent of respondents said data protection procedures were more rigorous during development and testing than during normal production.
Source: Lax data masking hits four in five firms, Sam Trendall, CRN, 18 August 2009
Granted, the purpose of the study was ostensibly to promote a data masking solution. But it demonstrates the need for better focus on non-production data stores. In other words, data in QA and development systems must be managed with the same rigor as that residing in production. And if extending security controls to these systems is not feasible, then data masking is necessary.