Overcoming the data privacy obstacle to cloud based test and development

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

How many times have data security and privacy constraints brought your key application development initiatives to a screeching halt? It usually occurs right around the time when contractors or outsourced vendors are called in to test the latest features or train users on major system enhancements but they are unable to do so. Why? The sensitive data that has traditionally been used to facilitate such activities now comes with some serious strings attached. Your implementation timeline stretches on and your rollout is in serious jeopardy as you struggle to find the in-house resources (both human and compute) to somehow finish the project.

When it comes to system development, for example, sensitive data cannot easily be shared with contractors because it must reside inside the firewall on corporate servers, and should only be accessed on a need-to-know basis and most certainly should not be placed in the cloud. Maintaining on-premise hardware may keep data safe within the corporate firewall but costs for dedicated infrastructure go far beyond the hardware dollars and cents to include the opportunity cost of lost efficiency and productivity.

Obviously, when it comes to cloud adoption by enterprise application development teams, concerns are often raised with regards to data security and privacy. Enterprises fear the repercussions of moving data to the cloud, and as is often the case, moving to the cloud is deemed impossible due to the sensitive data “requirement’ for test and development. Compliance with standards and regulations (such as HIPAA/HITECH, PCI) is typically cited as one of the key reasons for this hesitance in moving to the cloud.

Removing sensitive data facilitates cloud-based development, flexibility
One solution to this dilemma is the removal of sensitive data from the systems under development prior to migrating those systems to the cloud or prior to sharing them with external resources. By applying data masking (a.k.a. data obfuscation/de-identification), sensitive data is replaced with the realistic data required for development and testing while preventing the original sensitive data from being exposed in those non-production environments. Once your data is masked, the roadblocks that brought your application development project to a screeching halt are removed in a meaningful and responsible way that allows subsequent development, testing and training activities to proceed unhampered.

Data masking can significantly reduce, if not outright eliminate, the risks associated with deploying cloud-based infrastructure for application development. Once in the cloud, your infrastructure can be made to fit the scope (scaled up, down) and type of activity (acceptance testing, penetration testing, development, training, etc.). Your team can also be sized to fit the need as well given that restrictions around who sees sensitive data no longer apply when the data is masked.

At a high-level, a typical data masking process follows the steps below. Although these appear sequential (and in general they are) it is important to note that many organizations apply an iterative approach to data masking.

1. Document the policy/regulatory requirements applicable to your organization.

2. Create a catalog of sensitive data (where it is, what it is, who accesses it, etc.).

3. Determine how the various categories of sensitive data will be masked.

4. Configure and apply data masking rules.

5. Load masked data into cloud.

6. Enjoy the flexibility of on-demand development infrastructure and outsourced collaboration!

Things to keep in mind in preparing your development environment for the cloud
A key but often often overlooked aspect of this whole process is that organizations need to address sensitive data at the very earliest stages of application development or upgrade process. The reality is that much like system documentation, protecting sensitive information during the development process tends to be an afterthought. It’s this “afterthought’ that gives the privacy and security folks heartburn and forces them to send you back to the drawing board.

Automation is also important both when cataloging your sensitive data as well as when masking it in preparation for cloud deployment. Be prepared for some level of manual effort at this stage in terms of input from your subject matter experts but tools exist to significantly ease the burden of manual analysis via automated sensitive data search/discovery tools.

Also bear in mind that like many enterprise-wide technology initiatives, a phased approached to adopting cloud-based development infrastructure improves your chances of success. It doesn’t have to be an all-or-nothing approach. Proceeding through the six steps outlined above on a focused set of applications/initiatives will help you identify “gotchas’ and best practices that will lead to broader success in the cloud.

  • Data masking technology is well suited for preparing data prior to deploying the data to cloud-based development environments
  • Ensure your sensitive data landscape is well understood by cataloging your sensitive data (via a sensitive data discovery initiative)
  • While masking is not point-and-click, it can be readily undertaken in-house or with outside help
  • Masking removes a crucial impediment to cloud adoption for test/development processes but it can be used on-premise as well.
  • Sensitive data discovery is important in ensuring appropriate coverage and can raise questions within the organization on the current risk landscape that need to be addressed prior to cloud deployment.