Data Privacy Threat in non-production environments
As I mentioned in my initial posting, Security and privacy are amongst the goals on Data Governance— Data privacy protection is a tremendous focus for the IT community today. Organizations are making great strides to protect sensitive data in live application environments. But the “untold story” of implementing protection strategies in non-production (testing, development and training) environments remains a critical risk. As data breach headlines continue to mount, organizations must begin to address the most vulnerable areas of IT infrastructure—non-production environments.
So, what makes non-production environments so unique?
The answer lies in the methods used to create non-production databases. Commonly, live production systems are cloned (copied) to a test environment—confidential data and all. Developers and QA testers find it easy to work with live data because it produces test results that everyone can understand. But this poses a great threat to data privacy. What if the developer / tester shares this data accidentally with another customer while trying to reproduce some scenario?
Solution – Data Masking
Solution lies in understanding that non-production environments actually do not require live data. Using realistic data is essential to testing, but live data values are not specifically necessary. Capabilities for “de-identifying” or masking production data offer a best practice approach for protecting sensitive data while supporting the testing process.
Data masking is the process of systematically transforming confidential data elements such as trade secrets and personally identifying information (PII) into realistic but fictionalized values. Data that has been scrubbed or cleansed in such a manner is considered acceptable to use in non-production environments. Masking enables developers and QA testers to use “production-like” data and produce valid test results, while still complying with privacy protection rules.
Challenges in Data Masking
Data masking represents a simple concept, but it is technically challenging to execute. Most organizations operate within complex, heterogeneous IT environments consisting of multiple, interrelated applications, databases and platforms. IT managers do not always know where confidential data is stored or how it is related across disparate systems. The ideal solution must both discover sensitive data across related data stores and mask it effectively.
The IBM® InfoSphere™ Optim™ Data Masking solution provides comprehensive capabilities for masking sensitive data effectively across non-production environments, while still providing realistic data for use in development, testing or training. When you use InfoSphere Optim to mask confidential data, you protect privacy and safeguard shareholder value.
Optim data masking capability is available through IBM Infosphere Information Server. As of v9.1, all InfoSphere Information Server is shipped with a Data Masking Stage (which includes the required pieces for integrating with Optim Data Privacy).