Another Security Weakness: The Testing Phase

Despite so much concern over data security these days, there’s one point of weakness that might not have occurred to many IT managers: their testing process.

Many modern ERP  and CRM  applications have to be tested with live data, since “dummy” or made-up data typically isn’t enough, and that potentially means databases are open to anyone in the testing process.

Adding to this problem is the fact that many development and quality assurance (QA) and testing departments have been outsourced to India and other overseas locations. This puts companies in the bind of using live data to test, or spending the time to make dummy data.

Gamma Enterprise Technologies, a provider of application data management software for firms running SAP software, today released the results of a survey of SAP users that found protecting this data is a big concern for customers. Perhaps not surprisingly, Gamma also believes it has the solution.

The survey shows that nearly 70 percent of the 175 respondents across 23 countries are concerned about the exposure of sensitive data in non-production environments like testing. Despite these concerns, most survey participants have no plans for improving their security practices.

“Customers have spent all their security dollars on securing their production environment and not given a lot of thought over their non-production environments, where they have a lot less control over who has access to the data and what they do with it,” Gamma Executive Vice President Suzanne Swanson told

It might seem obvious not to use production data in a testing environment, but it’s generating enough records to properly test SAP applications is just not that easy. SAP customers have databases of five to 10 terabytes or more, and to properly test an application would require many gigabytes of data to fill the data fields in the application, Swanson said.

To address this, Gamma offers InfoShuttle Data Security, which enables organizations to use, customize and create sophisticated rules for masking sensitive information that has been moved into development, testing, training and sandbox environments.

The product provides 24 different rules to scramble data moving across the enterprise while protecting its integrity for use in testing. This involves steps like scrambling names, addresses, social security numbers and other fields while maintaining that data in the live database.

Any field in the database can be obscured using methods chosen by administrators or the head of testing.

“It doesn’t keep data from walking out, but if the data walks out, it’s scrambled, so it’s worthless,” said Swanson.

InfoShuttle Data Security is available now from Gamma, as is the survey.

News Around the Web