I thought I would write a post about organisations not doing the right thing (in my opinion) when they are using production data for carrying out testing. Perhaps I am alone on this one, and I would appreciate any feedback and opinions in the forms of comment.
Now when I talk about production data, I am talking about data that could be considered personal or sensitive data. This could be credit card information, bank details, national insurance number, address, date of birth, medical records, sexual preference, etc. All of this data would be considered highly valuable to a criminal /Â fraudster, and as a result should be considered a significant business risk, not to mention the compliance implications regardless of the industry the organisations operate in.
So with this in mind, why is it that so many organisations seem to think that serious consideration doesn’t need to given when it comes to the protection of data when its comes to using production data in a testing environment. Now I fully understand the value of using production data, and the possibly improved quality of testing that can be achieved, however this data shouldn’t be used as is. This data should be removed and sanitised to make it anonymous / de-personalised. This ensures that should the data be compromised, or not cleaned down appropriately or migrated into production this is no real world impact. Also I think we all know that test environments are not often a full representation of a production environment, especially when it comes to security controls.
I have seen this happen in organisations and it can have a real impact on an individual. Put yourself in this situation. Perhaps an organisation who offers health insurance is testing a new premiums engine. They use production data, and kick off testing, changing various parameters, including illness information, and decide to test the impact of having a sexually transmitted disease. Testing then completes, and by some error information is migrated back into production. Next thing the customers knows is they receive a letter saying they can no longer be offered insurance due to being a sufferer of HIV. This information will have been linked with other databases of other organisations, and the domino’s begin to topple.
When we think how something might impact us as an individual we tend to take a little more ownership and care, and I think this is something lacking in alot of organisations. I am not saying creating test data or converting production data for testing purposes is a trivial process, but that doesn’t mean its something that shouldn’t be done. There are various tools and scripts available to do the necessary to production data, and some companies also offer off the shelf test data that may be appropriate.
So next time your involved in testing, make sure you do the right thing. Understand what the goal of testing is, and what the results might look like. Review the data sets that are relevant and the risks and exposures may bring. Then as appropriate do what is needed to mask, scramble, randomise and de-personalise the data. During testing ensure access levels are appropriate, and the necessary logging is in place. Then when all the testing is completed, follow the appropriate steps to clear down the environment ready for next time.
Ideally all this would be clearly defined in security and testing policies and processes, but regardless you will know you are doing the right thing, and this will also help greatly with meeting compliance and regulatory controls. Its probably not considered that this occurs from a consumer level, but doing the right thing could also be considered a marketing benefit.
So rant over, maybe you agree, maybe you don’t, but I would be interested in your comments.