TechVision: Avoiding Hefty Fines and Reputational Damage with Test Data Management

World®’16

AvoidingHeftyFinesandReputationalDamageWithTestDataManagementJeffHughes- Sr.ProductMarketingManager- CATechnologiesTomFinch- Sr.Consultant– Presales- CATechnologies

DO5X41S

DEVOPS

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Legislationsurroundingtheuseofpersonaldataisbecomingevermorestringent,andthethreatofhugefinesandreputationaldamageisheapingpressureonorganizationstobecomefullysecure.Thecommonpracticeofusingrawproductiondataintestingisnowriskierthanever,andmightnolongerbecompliantunderupcominglegislationliketheEUGeneralDataProtectionRegulation.

Thissessionwillconsidersomepracticalstepsthatcanbetakentosupportcomplianceintestenvironments,withoutcompromisingaccesstothequality,production-likedataneededfortesting.Thefirststepinanystrategywillbetounderstandexactlywheresensitivedataresidesacrossproductionsystemsandtestenvironments,anddataprofilingwillbediscussedasameanstodothis.

Datamaskingwillbeputforwardasagoodwaytostartavoidingtheuseofpersonallyidentifiableinformationinlesssecuretestenvironments,softeningsomeregulatoryrequirementsintheprocess.Therisksassociatedwithmaskedtestdatawillbeconsidered,settingoutwhytheonlywaytobefullysecureistoavoidusinganyproductiondata,inanyform.

Syntheticdatagenerationistheonlyrealwaytoavoidusingproductiondataintesting,assyntheticdatahasallthecharacteristicsofproduction,butnoneofthesensitivecontent.Abroader,potentialROIwillbediscussed,usingsyntheticdatatoincreasethequalityoftestdata,whiledrivingdownprovisioningtimeandcosts.

JeffHughesCATechnologiesSr.ProductMarketingManager

TomFinchCATechnologiesSr.Consultant-Presales


UpcomingLegislation?

Areyoureadyfor

$252mThecostoftheTarget’s2013

databreach1

35%admittedthattheydonotknowiftheirITpoliciesandprocesses

arereadyfortheGDPR.3

88%Ofconsumerssaiddatasecurity

determinestheshopsandservicesservicestheyuse.2

“Don'twaitforEUregulation”

- StefGysselsComputerWeekly,Don'twaitforEUregulationtopracticegooddataethics, July2015

1– TechRepublic,2015– http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/2– Symantec,2015– http://www.symantec.com/en/uk/about/news/release/article.jsp?prid=20150223_013– SurveyofseniorEuropeanITprofessionals.Ipswitch,2014– http://www.ipswitch.com/blog/european-teams-woefully-underprepared-gdpr/



Areyoureadyfor

90%ofUKCIOsfeartheGDPR2

70%ofdatabreachesarecausedby

internal(employee)vulnerabilities3

87%ofAmericanscanbeidentifiedbycombiningtheirdateofbirth,genderandZIPcode2

80%ofUScompaniesfailedtheir

interimPCIcomplianceassessment1

1– Verizon,2015 – http://www.verizonenterprise.com/pcireport/2015/#table-overlay2– SCMagazine,2016 – http://www.scmagazineuk.com/90-of-uk-cios-fear-gdpr/article/482313//3– CarnegieMellonUniversity,2000 – http://dataprivacylab.org/projects/identifiability/paper1.pdf4– ForresterResearch,citedfromTRENDMICRO,2012– http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/



Areyoureadyfor

1/4Ofbusinessessaidtheywouldwaitforthefinaldetailsbefore

takinganyaction

2/5+decisionmakeswithturnoverofmorethan£500msaidthey

were‘notconcerned’abouttheimpactofthenewstructure

1/5Admittedtheyknewnothing

aboutthechanges

50%ofcompaniesarenotreviewing

policies

Source:CrownRecordsManagementSurvey


“Dutch Parliament Adopts Data Breach Notification Obligation and Increases Fines”

“Reach of Nevada Personal Data Laws Extended”

“Data Breach Notification Bills Introduced in House and Senate”

“Australia’s New Mandatory Data Retention Law”

“House to Move on Student Data Privacy”

“Data Breach Provisions in Outsourcing Contracts”

“New Data Protection Powers Requested in Oregon”

“The Personal Data Notification and Protection Act Seeks Uniformity in Responses to Data Security Breaches”

“Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business”

“NEW EUROPEAN DATA PROTECTION GUIDELINES PUBLISHED”

“ISO 27018 – Data Protection Standards for the Cloud”

“FTC Continues to Expand Its Role as All-Purpose Data Privacy and Security Regulator”

“FCC Cracks Down on Consumer Privacy Violations”

“Florida Law Requires Businesses to Ramp Up Data Protection or Face Steep Penalties”

“Delaware Data Disposal Law Requires Action by Affected Businesses”

"New Data Privacy Rules on Mobile Payments"

"African Union Adopts Convention on Cybersecurity and Personal Data Protection"

"China'sNewConsumerProtectionLaw"

"Singapore's Personal Data Protection Act Now in Force"

"IncreasedEnforcementofDataProtectionLawExpected"

New legislationiscominginquickly

Moreorganizationsweworkwithviewitaprimaryconcernfortesting


§ Proposedin2012tounifyandstrengthenexistinglegislation

§ Willreplacethe1995DataPrivacyDirective (95/46/EU)

§ Adoptedon14th April,2016,withanenforcementdateMay25th,2018

§ 2yearimplementationtime– pressingtomakenecessarychanges

§ WillapplytoanyorganizationworldwideprocessingdatafromEU

World®’16

EUGeneralDataProtectionRegulation(GDPR)Background



HeadlinesAreFocusedonFines:§ Maximumfinesof€20million

or4%ofannualrevenuse(whicheverishigher)

§ Howtransferringdataacrossborderswillbeimpacted,andtheimpactofthemuchdiscussed“RighttoErasure”

§ Whatabouttesting?

World®’169 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD


§ Amoveawayfrom“optout”consent,tosomewherebetweenrequiringunambiguousconsentandexplicitconsent

§ Consentmustbeconstitutedbyanaffirmativeactionandcannotbe“silence,pre-tickedboxesorinactivity”(Recital25)

§ Blanketconsentforallfutureuseofdatawillnotbepossible

Thechangingdefinitionof“consent”– canyoureallyusethatdatafortesting?Canyoudemonstratethat?



§ Agreaterburdenondatacontrollers(Article5),whocanprocessdatainacertainwayifconsenthasbeengiventodoso,orifitisnecessaryforlegalpurposes,tofulfilacontract,forthesubject’svitalinterestorforpublicinterest(Article6)

World®’16@CAWORLD#CAWORLD11

Consent,dataminimizationandpurposelimitation–onlyenoughdata,usedbyjustenoughpeople,fornolongerthannecessary.

©2016CA.ALLRIGHTSRESERVED.


“Thecontrollershallimplementappropriatetechnicalandorganisationalmeasuresforensuringthat,bydefault,onlypersonaldatawhicharenecessaryforeachspecificpurposeoftheprocessingareprocessed. Thatobligationappliestotheamountofpersonaldatacollected,theextentoftheirprocessing,theperiodoftheirstorageandtheiraccessibility.Inparticular,suchmeasuresshallensurethatbydefaultpersonaldataarenotmadeaccessiblewithouttheindividual's

interventiontoanindefinitenumberofnaturalpersons.”(Article25)

12 @CAWORLD#CAWORLD ©2016CA.ALLRIGHTSRESERVED.


§ Poorlyunderstooddatamodels

§ Sensitivedatastoredinconsistently,inuncontrolledspreadsheetsandlurkingina“Notes”column?

§ Testerscopydatatotheirmachinesandkeepitthere- Doyouknowwho’susingdata,andforhowlongthey’vehadit?

World®’16@CAWORLD#CAWORLD13 ©2016CA.ALLRIGHTSRESERVED.

Thechallengefortesting– whereisthesensitiveinformationstored?

ConsentDoesn’tLastForever§ Righttodataportability:a

citizen’srighttorequestacopyofdatainaformatusablebythem(Article20)

§ “RighttoErasure”:towithdrawconsent(Article7)orfordatatobeforgottenunlessthereisalegitimatereasontokeepit(Article19)

Dear high street bank,

Please provide me with a copy of and then delete all instances of my data across all inter-dependent test environments, including legacy systems. This must be done “without delay” (Article 17).

Regards,Tom Pryce



Pseudoanonymization“theprocessingofpersonaldatainsuchawaythatthedatacannolongerbeattributedtoaspecificdatasubjectwithouttheuseofadditionalinformation,aslongassuchadditionalinformationiskeptseparatelyandsubjecttotechnicalandorganisationmeasurestoensurenon-attributiontoanidentifiedoridentifiableperson”

World®’16@CAWORLD#CAWORLD15 ©2016CA.ALLRIGHTSRESERVED.

16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD World®’16@CAWORLD#CAWORLD16 ©2016CA.ALLRIGHTSRESERVED.

Whataboutdatamasking?

§ Ishighlycomplex– oftensomeinformationisleftinasaformofcompromise,suchasinter-columnrelationships

§ ThedefinitionofPersonalInformationisgrowing,includinganythingrelatedtogenetic,mental,economic,culturalorsocialidentity

§ Howeasyisittomaskallofthiscontent,whileretainingthereferentialintegrityneededfortesting?

§ Canyoureverseengineerdatafromcomplexrelationshipsusingapieceofexternalinformation?


MentalPhysiological

Economic

Physical

AddressesSocial identity

location data

BIOMETRIC

Social Security numbers

Names

Telephone and Area Codes

ZIP and other postal codes

identification number

driver's license numbers

Telephone numbers

onlineidentifiers

genetic

Cultural

So,whatmightneedtobemasked?

Howhardisthiswhilemaintainingreferentialintegrity?

Alldirectidentifiersandmanyindirectidentifiers.

@CAWORLD#CAWORLD17 ©2016CA.ALLRIGHTSRESERVED.


AHybridApproach

§ Testdataismasked,makingsureatleastalldatais“pseudo-anonymized”unlessitcanbedemonstratedthatthereisconsenttouseitfortheexacttestingtaskbeingperformed

§ Movetowardsusingdatawithoutdirectorindirectidentifiers– i.e.fictitioussyntheticdatawhichisnotsubjecttotheGDPR



MovingTowardsaHybridApproach

1. Cultural:encouragepeopletousesyntheticversionsofdata– simulateproductiondataandensurethattestersusetheseversions

2. Blendinsyntheticformoreeffectivetesting:identifywheretoinjectsynthetictestdataandvirtualization,toovercomethenumberonechallengewithmasking:synchronizationacrosssystems



BenefitsofSyntheticDataGenerationCATestDataManager

INCREASESECURITY

INCREASEPRODUCTIVITY

INCREASEAGILITY

INCREASEQUALITY REDUCECOSTS

§ Eliminatetheriskofinternalandexternalbreaches

§ EnsurePIIisprotected

§ Reducethetimespentpreparingdatabytenfold,from20%to2%

§ Reducethetimefindingdatafrommultiplesystemsby95%

§ Matchtherightdatatotherighttest

§ Testnewapplications

§ Achieve100%functionaltestcoverage

§ Enableself-service§ Quicklyrespondtochanges

§ Ensuretestdataisuptodate

§ Cloneanddeliverdatainparallel

§ Proactivelyestimatechangecosts

§ Decreasestorageandsoftwarelicensecosts


ARAGGroup– CaseStudyCustomerSuccessStoryEnsuringdataprivacywhileeliminatingdefectsinproductionwithCATestDataManager.

CATestDataManagerallowsthetestanddevelopmentteamsatARAGtosuccessfullycreateandmanagetestdatathatisbothfit-for-purposeandofahighquality,whilealsosignificantlyimprovingtestingefficiency.

SOLUTION

Asaresult,ARAGcanbeconfidentthatthesolutionsitdeliverstoitsclerksareofahigherqualityandthedatausedtotestthosesolutionscomplieswithdataprivacyregulations.

RESULTS

ARAGneededtomaintaindataprivacyandanonymizedatausedinavarietyofsettings—includingtestanddevelopment.

CHALLENGE

21 ©2016CA.ALLRIGHTSRESERVED.


Demo– TomFinch

BUILDINGSOMESYNTHETICDATA

CATESTDATAMANAGERWEBPORTAL

1

2


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

DO5T19S CaseStudy:GMFinancialBuildsaSustainable,Holistic,ContinuousDeliveryPractice 11/17/2016at4:30pm

DO5X42STestDataonDemand:DeliveringtheRightData,totheRightPlace,attheRightTime

11/17/2016at4:30pm


MustSeeDemos

AchievingComplianceCATestDataManagerDevOpsTheatre5

ModernizeAppDeliveryCATestDataManagerDevOpsTheatre5

BuildTestDataQuicklyIntegratedContinuousDeliveryDevOpsTheater5

DeliverBetterAppsServiceVirtualizationDevOpsTheater5


Thankyou.

Stayconnectedatcommunities.ca.com


DevOps– ContinuousDelivery

FormoreinformationonDevOps– ContinuousDelivery,pleasevisit:http://cainc.to/PiTFpu

TechVision: Avoiding Hefty Fines and Reputational Damage with Test Data Management

Technology

Transcript of TechVision: Avoiding Hefty Fines and Reputational Damage with Test Data Management