Controls for use of production data in testing

In this article..
Business Justification
Documented Process
Access Controls
Minimal Exposure
Encryption and Key Management

One of the questions that I have been asked repeatedly is whether production (live) data can be used for testing purposes. The usual reason is that data that is generated for testing purposes sometimes does not meet the requirements for some test cases.

Extreme care should be taken when considering the use of production data for testing purposes, or for that matter, any use outside of production environments. Data is one of the most important assets for an organization and should be protected.

Compromise of data can lead to violations of regulations and industry requirements, resulting in financial penalties and reputational damage. For these reasons, organizations usually have policies against the use of production data for testing or any other purpose.

In cases where the use of production data cannot be avoided, some controls can be put in place to ensure that production data is secured when used outside of the production environment.
Business Justification
The Business justification for access to the data should be documented. This has to detail why production data, rather than data generated for test purposes, is required. By documenting this and going through an approval process, the chances of production data being used for trivial reasons can be minimized.

Documented Process
The process that will be used for the production data to be transferred, handled and disposed off should be documented in detail. This will help ensure that a consistent approach is followed everyone involved in the process. This should also be part of the approval process.

Access Controls
The user account(s) that will be used to get access to the production data should have the following controls in place:

  • It should be disabled until it is required and disabled immediately after the data is obtained from the production environment.
  • It should only have access to the data (tables, rows, etc.) that is required, so that the principle of least privilege is applied.
  • It should be monitored while in use. All activity should be logged for audit purposes.
  • It should be unique and should not be a shared account. In some cases, the same account may be used to access at different times. In these cases, the passwords have to be changed every time.

The following access controls should be in place for the production data:

  • While the data is used for testing, access should be restricted to a limited number of users.
  • All access to this data should be logged and audited.

Minimal Exposure
To minimize the chances of production data being exposed or compromised, the following controls hsould be in place:

  • Only the minimum amount of data that is required for testing should be downloaded. This reduces the data set that can be compromised.
  • The data should be retained outside of the production environment for the minimum time possible. The longer the data sits in the test environment (or outside the production environment), the higher the chances of compromise.
  • After the testing is completed, the data should be securely disposed off. If the data is in the file system, then a secure wipe tool should be used. If the data is in the database, the records should be overwritten and then deleted.

Encryption and Key Management
Appropriate encryption and key management should be used to protect the data during transit and storage.

  • The data should be encrypted using strong encryption in the production environment and then transferred outside.
  • The data should be transferred over secure channels that have strong encryption. While this may seem to be overkill, especially when considering the previous point, it is strongly recommended.
  • The keys used for data encryption should be secured and managed appropriately. Dual control of keys may need to be incorporated when using manual key management.

These are meant to be general controls that should be in place for use of production data in testing. Each organization is different and may need to add new controls or modify some of the controls listed here.