Are You Using “Test” Data in the Cloud?

CloudSecurityKeyhole_468Yes, you read that correctly. The word test is in quotation marks, as in “is it really test data that you have in the vendor’s cloud?”. Astonishingly enough, at least 85% of financial institutions are using live data in their test environments [1]. Could this be you and are you protecting your organization against a data breach effectively?

When a cloud technology vendor makes an offhand remark like, “yeah, we can create a test environment for you and load your test data into the cloud while we work through a Non-Disclosure or Proof of Concept agreement with your legal team”, be afraid. Be very afraid.

Now, I’m not knocking the technology vendors. In fact, to them this is a natural part of the engagement. What you have to be aware of is whether your company’s test data is truly “test data” or not. For example, if you’re in the financial or healthcare sectors where a data breach could expose Personal Health Information (PHI) or Personally Identifiable Information (PII), you should understand your test data thoroughly.

Once you understand your test data, think about putting together a more robust agreement with the vendor besides a Non-Disclosure or Proof of Concept agreement. Non-Disclosure and Proof of Concept agreements typically do not contain the language to protect your company against a data breach. A Master Services Agreement or Subscription Services Agreement should be reviewed by your legal or contracts team to determine if your company will be protected while using the vendor’s cloud if there is a breach with regard to the test data.

Karen Hsu of Informatica explains that “because data stored in a cloud-based ‘sandbox’ environment for testing purposes is vulnerable, it should be masked to protect sensitive information” [2]. She recommends using an automated masking tool to assist with the protection of your data. Regardless of what tools you use, your “test” data should be understood before loading any of it into a vendor’s cloud environment.

References:

[1] Dark Reading News. (2010, March). Live Data In Test Environments Is Alive And Well — And Dangerous. Retrieved from http://www.darkreading.com/risk/live-data-in-test-environments-is-alive-and-well—-and-dangerous/d/d-id/1133220?

[2] Hsu, Karen. (2013, March). Masking Test Data in the Cloud. Retrieved from http://www.bankinfosecurity.com/interviews/masking-test-data-in-cloud-i-1822

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s