DevOps routinely uses production data for testing. With increasing use of cloud and outsourcing of testing activities, the data breach risk of sensitive data including Personally identifiable information (PII) and Protected Health information has increased several folds. Off late, Data breach has become a business reality. It is no longer a question of if but when. As DevOps leverage the power of big data, cloud, and the internet of things to deliver new services and products, they need to take appropriate steps to manage and mitigate the data breach risks.
Test Data Breaches
Over 60 percent of DevOps leader emphasizes1 that access to production data is critical for their success. In the absence of appropriate process, this may result in data breaches especially when third party vendors are involved. Following list highlights some of the recent data breach incidents involving test data.
- Nov 2016 – Michael Page, leading UK-based recruitment firm, suffered a data breach that exposed personal details of 780 K+ job applicants2. The data was left on a development server managed by Cap Gemini, outsourcer to Michael Page, who didn’t anonymize the data which would have protected it from being exposed.
- May 2016 – Parenting retailer Kiddicare has suffered a data breach that exposed the names, addresses and telephone numbers of some of its customers3. Privacy information of 700K + customers was stolen from a version of its website set up for testing purposes.
- Apr 2016 – The American College of Cardiology (ACC) notified 1,400 institutions that patient data from the National Cardiovascular Data Registry (NCDR) might have been breached4. The ACC found that four software development vendors who were testing software had access to NCDR patient data. The data was copied between 2009 and 2010 and was included in one of more than 250 tables that software developers used in a test environment.
While a large percentage (40%) of data breaches are results of hacking or malicious attack and often a popular topic of discussion in social media, employee, and vendor error is the primary reason for most the data breaches.
In addition to setting up correct security protocol for protecting data housed in DevOps data servers, organizations need to establish an appropriate level of encryption to protect sensitive information such as PII and PHI data to prevent employee and third party related exposures. Only Four percent (4%) of the 5.3 Billion records exposed since 2013 due to data breaches was encrypted5 and hence did not result in any negative impact.
With so much data being used by DevOps team and exchanged between on-premise systems, cloud-based applications and third-party outsourcers, it is nearly impossible to identify and control sensitive information without a comprehensive approach.
Best Practices for Managing data breach risks in DevOps
- Classify sensitive data prior to acquisition: Leverage rule-based and machine learning technology to detect and classify sensitive data in both structured and unstructured document prior to their import to the test environment.
- Encrypt sensitive fields while preserving format: Leverage Format Preserving Encryption technique to encrypt all PII and PHI information using random encryption keys generated dynamically. Use automated solution to encrypt field level information both in structured and unstructured data.
- Encrypt at rest: If your application allows consumption of encrypted data, then encrypt the at-rest This will add a second layer of security for non-sensitive data.
- Look for internet exposure: If test server and application is deployed in the cloud, establish monitoring process to see if any of the hosts is exposed to public internet
- Monitor presence of sensitive information: Continuously look for the presence of sensitive information within the test database and the corresponding log and export dumps using automated tools in the event developers skipped step 1 and 2.
- Detect anomalous usage pattern: Leverage machine learning technology to detect outlier usage activity to detect if something funny is going on in your DevOps environment
Just because you have established security and encryption policies, do not assume your developers and third party testers are adhering to the established policy. With the advent of rapid release cycle of applications and resource turnover, monitoring the security policy and encryption is an imperative for managing data breach risk in DevOps environment.