While the industry deals with the most egregious aspects of data theft, many computer systems still remain vulnerable to attack at some level. An important tier of computer data remains practically untouched and unprotected by today's new data security procedures: non-production systems used for in-house development, testing and training purposes.
These systems are generally "open," and leave a large hole in the security practices at companies of all sizes. Non-production environments leverage "real data" to test applications, housing some of the most classified information in an organization, including employee records, customer records, and financial transaction documents. Yet, non-production environments are generally exposed with little or no logging and monitoring, and these systems are often made available for remote access, and as a result, they are difficult to secure.
In order to prevent security breaches that often lead to unwanted media attention and costly legal liability, there are a few steps you can take to protect sensitive data. First, understand the threat in non-production environments. Second, use a data masking or "obfuscation" tool in conjunction with access control. Third, follow through with the investment of the appropriate security measures in the front end.
Understand the Threat
Insider threats lead the way, accounting for approximately 60 percent of all data breaches. The black market for sensitive personal information provides a powerful lure to some individuals, as stolen data has become a highly lucrative business. For example, credit card information brings $1.50 per record and medical identity card information is worth even more, at $5 to $50 per record.
Most organizations prefer to test their applications with "real data" in both their development and test environments, as this provides the best scenario to ensure applications work properly. However, typical control (people, process and technology) practices and security measures taken in development and test environments are generally a fraction of what is practiced for production databases. As a result, many companies inadvertently jeopardize highly sensitive information at the application development level.
"In today's software development world, many organizations have diversified their development resource. They either have development sites off shore (owned or contracted), contract coding to companies within their respective countries, hire contractors to work within their development facilities, and/or employ people to develop their software," said Louis Carpenito, an independent senior security executive with a lengthy record of data security experience with such organizations as Symantec, Fidelity Investments and Johnson & Johnson.
"Since non-production environments are generally "open" with little or no logging and monitoring and are often accessed remotely, they pose an easy target for data thieves, and quite simply invite both inside and external threats to harvest sensitive personal information with relative ease and without detection," Carpenito said.