Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
02 June 2008  
Untitled Document
Sections

Market
Management
Technology
Technology Life

Columns

Between The Bytes

Events

Technology Senate
Technology Sabha
Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
CIO Decisions
Exp.Channel Business
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Express Healthcare
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Technology - Article

Vendor Accent

The unseen privacy crisis

Paul Vallely on how the use of live data for application development and testing is putting businesses at risk

During the past several years, the issue of the inappropriate and unlawful use of private consumer data including identity and credit information has become a national crisis. It is commonplace to see media reports of confidential consumer information leaked or stolen from financial institutions, mortgage and real estate businesses and a bevy of others. Compounding this problem is the continued explosion in Web-based e-commerce applications that routinely contain social security numbers, birth dates, addresses and credit card information. From major retailers to the local shoe store, confidential data are being hacked, stolen, compromised or simply lost.

Because of the critical nature of this problem, a considerable amount of legislation – including the Sarbanes-Oxley Act, HIPAA and the Gramm-Leach- Bliley Act – were passed to, among other things, govern how organizations protect confidential data. Unfortunately, most of the attention is focused on protecting ‘production’ data or data already in use in established software applications. While protecting production data is indeed significantly important, another aspect of data privacy–the protection of data used during the development and testing of software applications–is equally important but has regrettably received much less attention.

According to Gartner’s report entitled Understanding Data Lekage said, “The greater the value or usefulness of data outside of an organization, the more likely it is that someone will try to steal it. If the data can be sold, then it clearly has economic significance. If it can be used for competitive advantage, then it has an indirect economic significance.” Further to the report “Information doesn’t have to be economically valuable to be of high interest to outsiders—it can also have social or political significance that would be harmful to the organization if the information became available to someone motivated to publicize it or use it for blackmail.”

Few people outside of the IT industry give much thought to how applications are tested. Most assume organizations fully test their applications prior to putting them into operation. While this is increasingly the case, demonstrated by the fact that automated testing is one of the largest segments of the application development market, it is more common for organizations to deploy recently developed applications and then test them at a testing facility or system integrators site. In the majority of situations, currently active customer data is used to test these applications.

Using live customer data to test applications is a potential disaster waiting to happen. While organizations may think their test data is immune from privacy threats because testing occurs in a non-production environment, the fact is that test data is typically a copy or subset of production data. Test environments are less secure and can expose critical data to a variety of unauthorized sources, including in-house testing staff, consultants, partners, and support personnel. Compounding this problem is the fact that an increasing amount of software testing is now outsourced to independent testing firms, many of which are offshore. This exposes organizations – and their customers, employees and vendors – to substantial risk, liability and public disgrace.

Test data privacy research

To better understand the magnitude of this crisis, the Compuware Corporation recently collaborated with the Ponemon Institute LLC to research and understand the seriousness of this problem. Ponemon conducted a Compuware-sponsored survey that studied this issue in US, UK, France and Germany. The study surveyed 897 senior IT professionals with an average of 10 years experience in the field and more than five years of experience in the software development, testing or information management fields.

The study revealed some interesting, and startling, facts, including:

  • More than 60% of those surveyed confirmed that they are using actual customer information for development and almost 70% confirmed that they are using similar customer data for testing.
  • 89% of companies that use actual live data during testing use customer records. These data files tend to be large, often exceeding 1million records.
  • 50% do not believe that their company is successful at protecting the data used during testing and development.
  • 38% of respondents were unsure if live data their organization used for testing or development had been lost or stolen.
  • Of those firms that are outsourcing application testing, almost half (49%) shared live data with the outsourcer.

Recommendations

Protecting your sensitive data is crucial, but it can be difficult for a variety reasons. The data may be dispersed on many platforms and be very complex. No one in the organization may have ownership for the process, or you may not be able to interpret the compliance regulations. Because of these challenges, a one-size-fits-all approach cannot be used for all data privacy issues. However, protecting this sensitive data is vital.

What can organizations do about this pending crisis? The first step is to recognize that this is in fact a problem. All of the media attention that has resulted from the inappropriate and unlawful use of private consumer data has begun to increase awareness. Companies around the globe are now recognizing that they are putting themselves and their customers, employees, and business partners at serious risk.

Second, IT needs to understand that they are also at risk and that they must research and adopt best practices and processes to ensure the data they use to test their applications remains confidential. For new development, this begins at the Requirements stage. For existing applications, this involves masking and disguising potentially sensitive data before releasing it for use in testing. In all situations, the processes need to be documented so that an organization can demonstrate compliance.

Third, companies need to mandate their development partners and outsourcers rigorously adhere to a set of policies that eliminate the use of live sensitive data during the testing process. More and more software testing is outsourced with many of the outsourcers located offshore. This serious risk is best managed by implementing documented processes and compliance auditing.

Finally, companies at risk need to consider technological answers to meet this challenge. Technology tools designed to transform or mask sensitive or confidential data without diminishing the validity of that data set for testing purposes can eliminate the organization’s risk without inhibiting a thorough and accurate testing process.

Testing is a mandatory step for ensuring that today’s applications work as intended. As more organizations recognize the risk of using live data, and that there are proven steps for masking and protecting this data, the Unseen Privacy Crisis can be averted.

The author is Solution Sales Director, Test Data Privacy, Compuware Corporation paul.vallely@compuware.com

 


Untitled Document

UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.