Bloggo back to the blog
Test Data Management – Security Compliance whilst performing production Data Extraction / Data Anonymisation using Tools-->
Test Data Management is a challenge for all large end-to-end test engagements. It is even trickier in cases of transformational engagements. One way to create data is a non-intrusive method of completing end-to-end journeys and thereby creating data records that are systemically integrated with regards to data integrity, cardinality, ER compliance etc. More often though the industry uses extracts from production, aiming at complete data sets with current master or reference data instead of trying to recreate test data.
This blog is the first of two focusing on the challenges with this approach from a Data Security and Protection perspective. Part one takes a high-level look at the types of data to be considered and then discusses possible tool alternatives to resolve these challenges along with criteria to select such tools. Part two (to be published in a couple of days) then presents a case study of an actual implementation of a Test Data Management tool and the results achieved.
In case of production data extracts for testing, how do you manage, maintain and support strict PII (Personally Identifiable Information) protection rules?
PII normally includes most of the details in your wallet such as full name, national identification number, driver’s license number, biometrical data such as face/IRIS scans, fingerprints, or handwriting along with credit card numbers, digital identities, date of birth, birthplace, genetic information, addresses etc. – the exact definition depends on the country the data originates from and is unfortunately subject to interpretation.
Do not assume your application does not use critical data from a data protection perspective because you don’t use offshore resources or there is no personal data involved – different regulations govern who is allowed to see what (“need-to-know” basis) which even can exclude internal employees in some cases.
Also think about competitive information or other non-public data that shouldn’t be seen outside of your organisation – who defines these boundaries for you?
For the sake of this article (and since we are by no means lawyers, do not interpret anything in this blog as legal advice) we will not differentiate between the different categories and the way to treat them.
To name a few other regulatory compliances that may be supported include: PCI-DSS, HER, EU Data Protection Directive, HIPAA, GLBA, and Sarbanes-Oxley. They need to be supported in addition to security risk mitigation requirements such as whether the test data is for in-house development or outsourced to a third-party with data accessed remotely and how the physical and logical access controls have been setup. Remember, it’s not only about regulatory or legal risks but the risk to the enterprise in terms of business continuity, reputation loss, and financial loss if data is compromised.
In the midst of Big Data, there are good number of tools and approaches available to support some parts of these challenges. Do you really want to create custom programs to mask your hundreds of TB of data?
Let’s use an example that was part of a test transformation program for a leading mobile services provider to showcase the approach. At first we ran a proof-of-concept for Data Anonymisation / Obfuscation solutions. These solutions were evaluated against functional, technical and Non Functional requirements and characteristics. We also defined a key use case for designing the Data Masking solution in compliance with stringent Data Security & Privacy constraints and Data Utility requirements.
Some of the functional/technical and non-functional characteristics we evaluated were:
Support for Application Relationship/Referential Integrity: Ensures data is masked consistently across data sources and maintains referential integrity
Data Uniqueness: Ensues that masked data does not create collisions in unique identifying data fields (e.g. Primary key)
Data Format Preserving: Ensures that the masked data has the same format, look and feel as the original data
Non-Reversibility: Ensures that the data encryption is a one-way path (though some of the tools have features for reversibility that need to be switched-off)
Consistency and Repeatability: Ensures masking of a specific data value produces the same masked value every time
Accenture and Author Profiles
Accenture is a global management consulting, technology services and outsourcing company with more than 266,000 people in 54 countries. Accenture Test Services has been providing testing services for more than two decades, both on-site and through our Global Delivery Network with more than 16,000 dedicated testing professionals.
Kalilur Rahman is a Senior Manager working for Accenture. Kalilur is a seasoned IT professional with 17+ years of experience in Telecommunications industry working for Wire line, Wireless, Cable, MSOs, Terrestrial Carriers, Industry standardisation leaders across myriad of telecommunications functional areas. He has played vital IT Delivery roles in complex programs in roles covering all SDLC phases. Currently he is heading a large Test Centre of Excellence for an Accenture client. In his recent role as an End-to-end Program Test Manager for a large Retail Logistics transformation program, Kalilur led the Oracle Retail Rollout for a global mobile telecom client. During the test delivery of world’s fastest Oracle Retail rollout (at the time of writing this article), Kalilur led the test delivery team supporting client’s testing service towards TMMi level-4 accreditation. As a firm believer in “Knowledge is Power”, he is passionate about writing and sharing his knowledge. He is an active member in the TeleManagement forum and contributed to a lot of internal initiatives in the organisations he worked for.
Matthias Rasking leads Accenture Application Testing Services in Europe, Middle East and Africa. With more than 14 years of experience in the Testing and Quality Assurance space, Matthias has supported many multi-national clients in various industries in becoming high-performing businesses by establishing a structured and strategic approach to quality assurance. He supports the ASQF (a German organisation dedicated to Software Quality) in their Test Data Management working group and furthermore is the Deputy Chair of the Technical work stream regarding Model Development at the TMMi Foundation.