Yes, you read that correctly. The word test is in quotation marks, as in “is it really test data that you have in the vendor’s cloud?”. Astonishingly enough, at least 85% of financial institutions are using live data in their test environments [1]. Could this be you and are you protecting your organization against a data breach effectively?
When a cloud technology vendor makes an offhand remark like, “yeah, we can create a test environment for you and load your test data into the cloud while we work through a Non-Disclosure or Proof of Concept agreement with your legal team”, be afraid. Be very afraid.
Now, I’m not knocking the technology vendors. In fact, to them this is a natural part of the engagement. What you have to be aware of is whether your company’s test data is truly “test data” or not. For example, if you’re in the financial or healthcare sectors where a data breach could expose Personal Health Information (PHI) or Personally Identifiable Information (PII), you should understand your test data thoroughly.
Once you understand your test data, think about putting together a more robust agreement with the vendor besides a Non-Disclosure or Proof of Concept agreement. Non-Disclosure and Proof of Concept agreements typically do not contain the language to protect your company against a data breach. A Master Services Agreement or Subscription Services Agreement should be reviewed by your legal or contracts team to determine if your company will be protected while using the vendor’s cloud if there is a breach with regard to the test data.
Karen Hsu of Informatica explains that “because data stored in a cloud-based ‘sandbox’ environment for testing purposes is vulnerable, it should be masked to protect sensitive information” [2]. She recommends using an automated masking tool to assist with the protection of your data. Regardless of what tools you use, your “test” data should be understood before loading any of it into a vendor’s cloud environment.
References:
[1] Dark Reading News. (2010, March). Live Data In Test Environments Is Alive And Well — And Dangerous. Retrieved from http://www.darkreading.com/risk/live-data-in-test-environments-is-alive-and-well—-and-dangerous/d/d-id/1133220?
[2] Hsu, Karen. (2013, March). Masking Test Data in the Cloud. Retrieved from http://www.bankinfosecurity.com/interviews/masking-test-data-in-cloud-i-1822
the vendor chronicles 