Do the right thing when testing with production data

I thought I would write a post about organisations not doing the right thing (in my opinion) when they are using production data for carrying out testing. Perhaps I am alone on this one, and I would appreciate any feedback and opinions in the forms of comment.

Now when I talk about production data, I am talking about data that could be considered personal or sensitive data. This could be credit card information, bank details, national insurance number, address, date of birth, medical records, sexual preference, etc. All of this data would be considered highly valuable to a criminal /  fraudster, and as a result should be considered a significant business risk, not to mention the compliance implications regardless of the industry the organisations operate in.

So with this in mind, why is it that so many organisations seem to think that serious consideration doesn’t need to given when it comes to the protection of data when its comes to using production data in a testing environment. Now I fully understand the value of using production data, and the possibly improved quality of testing that can be achieved, however this data shouldn’t be used as is. This data should be removed and sanitised to make it anonymous / de-personalised. This ensures that should the data be compromised, or not cleaned down appropriately or migrated into production this is no real world impact. Also I think we all know that test environments are not often a full representation of a production environment, especially when it comes to security controls.

I have seen this happen in organisations and it can have a real impact on an individual. Put yourself in this situation. Perhaps an organisation who offers health insurance is testing a new premiums engine. They use production data, and kick off testing, changing various parameters, including illness information, and decide to test the impact of having a sexually transmitted disease. Testing then completes, and by some error information is migrated back into production. Next thing the customers knows is they receive a letter saying they can no longer be offered insurance due to being a sufferer of HIV. This information will have been linked with other databases of other organisations, and the domino’s begin to topple.

When we think how something might impact us as an individual we tend to take a little more ownership and care, and I think this is something lacking in alot of organisations. I am not saying creating test data or converting production data for testing purposes is a trivial process, but that doesn’t mean its something that shouldn’t be done. There are various tools and scripts available to do the necessary to production data, and some companies also offer off the shelf test data that may be appropriate.

So next time your involved in testing, make sure you do the right thing. Understand what the goal of testing is, and what the results might look like. Review the data sets that are relevant and the risks and exposures may bring. Then as appropriate do what is needed to mask, scramble, randomise and de-personalise the data. During testing ensure access levels are appropriate, and the necessary logging is in place. Then when all the testing is completed, follow the appropriate steps to clear down the environment ready for next time.

Ideally all this would be clearly defined in security and testing policies and processes, but regardless you will know you are doing the right thing, and this will also help greatly with meeting compliance and regulatory controls. Its probably not considered that this occurs from a consumer level, but doing the right thing could also be considered a marketing benefit.

So rant over, maybe you agree, maybe you don’t, but I would be interested in your comments.

Be Sociable, Share!

3 Responses to “Do the right thing when testing with production data”

  1. Brian Honan says:

    Dale

    One important factor many organisations within the EU forget is that under the Data Protection Directive they are obliged to ensure that production data is not used in development or testing. If not possible to do this then the organisation needs to have the same security measures in place for the “test” data as it does for production data. Lots of issues to consider especially when it comes to outsourcing testing and development to non-EU providers.

  2. Dale says:

    Brian,
    this is an excellent point and exactly what I mean when I mention regulatory compliance. I think we all know that in the past the DPA in the UK has not been enforced, and a large number of organisations are not meeting their obligations in this respect. With the ICO’s new set of teeth, it will be interesting to see what happens in 2010.

    Thanks for your comment 🙂

  3. […] This post was mentioned on Twitter by BrianHonan, Tomasz Miklas and Brendan Lally, Dale Pearson. Dale Pearson said: Blog Post – Do the right think when testing with production data – http://is.gd/7tWux – Comments / Thoughts / Opinions encouraged. […]

Leave a Reply

Your email address will not be published. Required fields are marked *