When it comes to system development, for example, sensitive data cannot easily be shared with contractors because it must reside inside the firewall on corporate servers, and should only be accessed on a need-to-know basis and most certainly should not be placed in the cloud. Maintaining on-premise hardware may keep data safe within the corporate firewall but costs for dedicated infrastructure go far beyond the hardware dollars and cents to include the opportunity cost of lost efficiency and productivity.
Obviously, when it comes to cloud adoption by enterprise application development teams, concerns are often raised with regards to data security and privacy. Enterprises fear the repercussions of moving data to the cloud, and as is often the case, moving to the cloud is deemed impossible due to the sensitive data ‘requirement’ for test and development. Compliance with standards and regulations (such as HIPAA/HITECH, PCI) is typically cited as one of the key reasons for this hesitance in moving to the cloud.
Removing sensitive data facilitates cloud-based development, flexibility
One solution to this dilemma is the removal of sensitive data from the systems under development prior to migrating those systems to the cloud or prior to sharing them with external resources. By applying data masking (a.k.a. data obfuscation/de-identification), sensitive data is replaced with the realistic data required for development and testing while preventing the original sensitive data from being exposed in those non-production environments. Once your data is masked, the roadblocks that brought your application development project to a screeching halt are removed in a meaningful and responsible way that allows subsequent development, testing and training activities to proceed unhampered.
Data masking can significantly reduce, if not outright eliminate, the risks associated with deploying cloud-based infrastructure for application development. Once in the cloud, your infrastructure can be made to fit the scope (scaled up, down) and type of activity (acceptance testing, penetration testing, development, training, etc.). Your team can also be sized to fit the need as well given that restrictions around who sees sensitive data no longer apply when the data is masked.
At a high-level, a typical data masking process follows the steps below. Although these appear sequential (and in general they are) it is important to note that many organizations apply an iterative approach to data masking.
1. Document the policy/regulatory requirements applicable to your organization.
2. Create a catalog of sensitive data (where it is, what it is, who accesses it, etc.).
3. Determine how the various categories of sensitive data will be masked.
4. Configure and apply data masking rules.
5. Load masked data into cloud.
6. Enjoy the flexibility of on-demand development infrastructure and outsourced collaboration!
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.