Another Security Weakness: The Testing Phase
Enterprises often use live data for testing their SAP apps with no security measures in place, a survey finds.
Despite so much concern over data security these days, there's one point of weakness that might not have occurred to many IT managers: their testing process.
Many modern ERP (define) and CRM (define) applications have to be tested with live data, since "dummy" or made-up data typically isn't enough, and that potentially means databases are open to anyone in the testing process.
Adding to this problem is the fact that many development and quality assurance (QA) and testing departments have been outsourced to India and other overseas locations. This puts companies in the bind of using live data to test, or spending the time to make dummy data.
The survey shows that nearly 70 percent of the 175 respondents across 23 countries are concerned about the exposure of sensitive data in non-production environments like testing. Despite these concerns, most survey participants have no plans for improving their security practices.
"Customers have spent all their security dollars on securing their production environment and not given a lot of thought over their non-production environments, where they have a lot less control over who has access to the data and what they do with it," Gamma Executive Vice President Suzanne Swanson told InternetNews.com.
It might seem obvious not to use production data in a testing environment, but it's generating enough records to properly test SAP applications is just not that easy. SAP customers have databases of five to 10 terabytes or more, and to properly test an application would require many gigabytes of data to fill the data fields in the application, Swanson said.
To address this, Gamma offers InfoShuttle Data Security, which enables organizations to use, customize and create sophisticated rules for masking sensitive information that has been moved into development, testing, training and sandbox environments.
The product provides 24 different rules to scramble data moving across the enterprise while protecting its integrity for use in testing. This involves steps like scrambling names, addresses, social security numbers and other fields while maintaining that data in the live database.