Overcoming the data privacy obstacle to cloud based test and development
by Steve Pomroy - Senior Solutions Architect at Camouflage Software - Tuesday, 26 November 2013.
How many times have data security and privacy constraints brought your key application development initiatives to a screeching halt? It usually occurs right around the time when contractors or outsourced vendors are called in to test the latest features or train users on major system enhancements but they are unable to do so. Why? The sensitive data that has traditionally been used to facilitate such activities now comes with some serious strings attached. Your implementation timeline stretches on and your rollout is in serious jeopardy as you struggle to find the in-house resources (both human and compute) to somehow finish the project.

When it comes to system development, for example, sensitive data cannot easily be shared with contractors because it must reside inside the firewall on corporate servers, and should only be accessed on a need-to-know basis and most certainly should not be placed in the cloud. Maintaining on-premise hardware may keep data safe within the corporate firewall but costs for dedicated infrastructure go far beyond the hardware dollars and cents to include the opportunity cost of lost efficiency and productivity.

Obviously, when it comes to cloud adoption by enterprise application development teams, concerns are often raised with regards to data security and privacy. Enterprises fear the repercussions of moving data to the cloud, and as is often the case, moving to the cloud is deemed impossible due to the sensitive data ‘requirement’ for test and development. Compliance with standards and regulations (such as HIPAA/HITECH, PCI) is typically cited as one of the key reasons for this hesitance in moving to the cloud.

Removing sensitive data facilitates cloud-based development, flexibility

One solution to this dilemma is the removal of sensitive data from the systems under development prior to migrating those systems to the cloud or prior to sharing them with external resources. By applying data masking (a.k.a. data obfuscation/de-identification), sensitive data is replaced with the realistic data required for development and testing while preventing the original sensitive data from being exposed in those non-production environments. Once your data is masked, the roadblocks that brought your application development project to a screeching halt are removed in a meaningful and responsible way that allows subsequent development, testing and training activities to proceed unhampered.

Data masking can significantly reduce, if not outright eliminate, the risks associated with deploying cloud-based infrastructure for application development. Once in the cloud, your infrastructure can be made to fit the scope (scaled up, down) and type of activity (acceptance testing, penetration testing, development, training, etc.). Your team can also be sized to fit the need as well given that restrictions around who sees sensitive data no longer apply when the data is masked.

At a high-level, a typical data masking process follows the steps below. Although these appear sequential (and in general they are) it is important to note that many organizations apply an iterative approach to data masking.

1. Document the policy/regulatory requirements applicable to your organization.
2. Create a catalog of sensitive data (where it is, what it is, who accesses it, etc.).
3. Determine how the various categories of sensitive data will be masked.
4. Configure and apply data masking rules.
5. Load masked data into cloud.
6. Enjoy the flexibility of on-demand development infrastructure and outsourced collaboration!


How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Thu, Sep 18th