We all know that we need to protect the employee and customer data from unauthorized access. We also are aware that there are many rules around the storing and transmitting healthcare and credit card data. Most of us have went to great lengths to put security controls in place on our Production environments to protect this sensitive data in accordance with applicable policies, rules, and regulations.
What have you done to protect the data on your non-production networks? If you have a test / QA environment that is used for functional, security, and user acceptance testing, what data is being used to ensure testing is against the “exact” data that is in Production? Some enterprises might use an extract of the data from Production in lower landscapes for their testing. Are all of the same security controls in place in the test / QA environment? Or have the controls around privileged access been relaxed to make it easier for testing? Or maybe you have password standards (probably relaxed) in the test environment?
What about the development environment, I am guessing the security controls are even more relaxed for DEV. The developers probably have access to just about everything and are able to manipulate the security controls to make their job easier. Where did the data come from that they are developing against? Was it copied straight from Prod or was it scrambled? Or maybe if you are lucky, the developer just created their own data to use.
I understand the need to use properly formatted data…..but if you are going to use any sensitive data from the Production environment (include employee database for a HR system, sensitive company for an ERP system, customer data for customer relationship database, etc….) make sure it scrambled in some manner to make it seem that it is just random data. Also, don’t allow the key security controls to be removed in the lower landscapes, make the developers and testers understand the need for the controls.
Until next time…..