techvision: avoiding hefty fines and reputational damage with test data management
TRANSCRIPT
World®’16
AvoidingHeftyFinesandReputationalDamageWithTestDataManagementJeffHughes- Sr.ProductMarketingManager- CATechnologiesTomFinch- Sr.Consultant– Presales- CATechnologies
DO5X41S
DEVOPS
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Legislationsurroundingtheuseofpersonaldataisbecomingevermorestringent,andthethreatofhugefinesandreputationaldamageisheapingpressureonorganizationstobecomefullysecure.Thecommonpracticeofusingrawproductiondataintestingisnowriskierthanever,andmightnolongerbecompliantunderupcominglegislationliketheEUGeneralDataProtectionRegulation.
Thissessionwillconsidersomepracticalstepsthatcanbetakentosupportcomplianceintestenvironments,withoutcompromisingaccesstothequality,production-likedataneededfortesting.Thefirststepinanystrategywillbetounderstandexactlywheresensitivedataresidesacrossproductionsystemsandtestenvironments,anddataprofilingwillbediscussedasameanstodothis.
Datamaskingwillbeputforwardasagoodwaytostartavoidingtheuseofpersonallyidentifiableinformationinlesssecuretestenvironments,softeningsomeregulatoryrequirementsintheprocess.Therisksassociatedwithmaskedtestdatawillbeconsidered,settingoutwhytheonlywaytobefullysecureistoavoidusinganyproductiondata,inanyform.
Syntheticdatagenerationistheonlyrealwaytoavoidusingproductiondataintesting,assyntheticdatahasallthecharacteristicsofproduction,butnoneofthesensitivecontent.Abroader,potentialROIwillbediscussed,usingsyntheticdatatoincreasethequalityoftestdata,whiledrivingdownprovisioningtimeandcosts.
JeffHughesCATechnologiesSr.ProductMarketingManager
TomFinchCATechnologiesSr.Consultant-Presales
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpcomingLegislation?
Areyoureadyfor
$252mThecostoftheTarget’s2013
databreach1
35%admittedthattheydonotknowiftheirITpoliciesandprocesses
arereadyfortheGDPR.3
88%Ofconsumerssaiddatasecurity
determinestheshopsandservicesservicestheyuse.2
“Don'twaitforEUregulation”
- StefGysselsComputerWeekly,Don'twaitforEUregulationtopracticegooddataethics, July2015
1– TechRepublic,2015– http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/2– Symantec,2015– http://www.symantec.com/en/uk/about/news/release/article.jsp?prid=20150223_013– SurveyofseniorEuropeanITprofessionals.Ipswitch,2014– http://www.ipswitch.com/blog/european-teams-woefully-underprepared-gdpr/
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpcomingLegislation?
Areyoureadyfor
90%ofUKCIOsfeartheGDPR2
70%ofdatabreachesarecausedby
internal(employee)vulnerabilities3
87%ofAmericanscanbeidentifiedbycombiningtheirdateofbirth,genderandZIPcode2
80%ofUScompaniesfailedtheir
interimPCIcomplianceassessment1
1– Verizon,2015 – http://www.verizonenterprise.com/pcireport/2015/#table-overlay2– SCMagazine,2016 – http://www.scmagazineuk.com/90-of-uk-cios-fear-gdpr/article/482313//3– CarnegieMellonUniversity,2000 – http://dataprivacylab.org/projects/identifiability/paper1.pdf4– ForresterResearch,citedfromTRENDMICRO,2012– http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpcomingLegislation?
Areyoureadyfor
1/4Ofbusinessessaidtheywouldwaitforthefinaldetailsbefore
takinganyaction
2/5+decisionmakeswithturnoverofmorethan£500msaidthey
were‘notconcerned’abouttheimpactofthenewstructure
1/5Admittedtheyknewnothing
aboutthechanges
50%ofcompaniesarenotreviewing
policies
Source:CrownRecordsManagementSurvey
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
“Dutch Parliament Adopts Data Breach Notification Obligation and Increases Fines”
“Reach of Nevada Personal Data Laws Extended”
“Data Breach Notification Bills Introduced in House and Senate”
“Australia’s New Mandatory Data Retention Law”
“House to Move on Student Data Privacy”
“Data Breach Provisions in Outsourcing Contracts”
“New Data Protection Powers Requested in Oregon”
“The Personal Data Notification and Protection Act Seeks Uniformity in Responses to Data Security Breaches”
“Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business”
“NEW EUROPEAN DATA PROTECTION GUIDELINES PUBLISHED”
“ISO 27018 – Data Protection Standards for the Cloud”
“FTC Continues to Expand Its Role as All-Purpose Data Privacy and Security Regulator”
“FCC Cracks Down on Consumer Privacy Violations”
“Florida Law Requires Businesses to Ramp Up Data Protection or Face Steep Penalties”
“Delaware Data Disposal Law Requires Action by Affected Businesses”
"New Data Privacy Rules on Mobile Payments"
"African Union Adopts Convention on Cybersecurity and Personal Data Protection"
"China'sNewConsumerProtectionLaw"
"Singapore's Personal Data Protection Act Now in Force"
"IncreasedEnforcementofDataProtectionLawExpected"
New legislationiscominginquickly
Moreorganizationsweworkwithviewitaprimaryconcernfortesting
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ Proposedin2012tounifyandstrengthenexistinglegislation
§ Willreplacethe1995DataPrivacyDirective (95/46/EU)
§ Adoptedon14th April,2016,withanenforcementdateMay25th,2018
§ 2yearimplementationtime– pressingtomakenecessarychanges
§ WillapplytoanyorganizationworldwideprocessingdatafromEU
World®’16
EUGeneralDataProtectionRegulation(GDPR)Background
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HeadlinesAreFocusedonFines:§ Maximumfinesof€20million
or4%ofannualrevenuse(whicheverishigher)
§ Howtransferringdataacrossborderswillbeimpacted,andtheimpactofthemuchdiscussed“RighttoErasure”
§ Whatabouttesting?
World®’169 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ Amoveawayfrom“optout”consent,tosomewherebetweenrequiringunambiguousconsentandexplicitconsent
§ Consentmustbeconstitutedbyanaffirmativeactionandcannotbe“silence,pre-tickedboxesorinactivity”(Recital25)
§ Blanketconsentforallfutureuseofdatawillnotbepossible
Thechangingdefinitionof“consent”– canyoureallyusethatdatafortesting?Canyoudemonstratethat?
World®’1610 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ Agreaterburdenondatacontrollers(Article5),whocanprocessdatainacertainwayifconsenthasbeengiventodoso,orifitisnecessaryforlegalpurposes,tofulfilacontract,forthesubject’svitalinterestorforpublicinterest(Article6)
World®’16@CAWORLD#CAWORLD11
Consent,dataminimizationandpurposelimitation–onlyenoughdata,usedbyjustenoughpeople,fornolongerthannecessary.
©2016CA.ALLRIGHTSRESERVED.
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
“Thecontrollershallimplementappropriatetechnicalandorganisationalmeasuresforensuringthat,bydefault,onlypersonaldatawhicharenecessaryforeachspecificpurposeoftheprocessingareprocessed. Thatobligationappliestotheamountofpersonaldatacollected,theextentoftheirprocessing,theperiodoftheirstorageandtheiraccessibility.Inparticular,suchmeasuresshallensurethatbydefaultpersonaldataarenotmadeaccessiblewithouttheindividual's
interventiontoanindefinitenumberofnaturalpersons.”(Article25)
12 @CAWORLD#CAWORLD ©2016CA.ALLRIGHTSRESERVED.
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ Poorlyunderstooddatamodels
§ Sensitivedatastoredinconsistently,inuncontrolledspreadsheetsandlurkingina“Notes”column?
§ Testerscopydatatotheirmachinesandkeepitthere- Doyouknowwho’susingdata,andforhowlongthey’vehadit?
World®’16@CAWORLD#CAWORLD13 ©2016CA.ALLRIGHTSRESERVED.
Thechallengefortesting– whereisthesensitiveinformationstored?
ConsentDoesn’tLastForever§ Righttodataportability:a
citizen’srighttorequestacopyofdatainaformatusablebythem(Article20)
§ “RighttoErasure”:towithdrawconsent(Article7)orfordatatobeforgottenunlessthereisalegitimatereasontokeepit(Article19)
Dear high street bank,
Please provide me with a copy of and then delete all instances of my data across all inter-dependent test environments, including legacy systems. This must be done “without delay” (Article 17).
Regards,Tom Pryce
World®’1614 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Pseudoanonymization“theprocessingofpersonaldatainsuchawaythatthedatacannolongerbeattributedtoaspecificdatasubjectwithouttheuseofadditionalinformation,aslongassuchadditionalinformationiskeptseparatelyandsubjecttotechnicalandorganisationmeasurestoensurenon-attributiontoanidentifiedoridentifiableperson”
World®’16@CAWORLD#CAWORLD15 ©2016CA.ALLRIGHTSRESERVED.
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD World®’16@CAWORLD#CAWORLD16 ©2016CA.ALLRIGHTSRESERVED.
Whataboutdatamasking?
§ Ishighlycomplex– oftensomeinformationisleftinasaformofcompromise,suchasinter-columnrelationships
§ ThedefinitionofPersonalInformationisgrowing,includinganythingrelatedtogenetic,mental,economic,culturalorsocialidentity
§ Howeasyisittomaskallofthiscontent,whileretainingthereferentialintegrityneededfortesting?
§ Canyoureverseengineerdatafromcomplexrelationshipsusingapieceofexternalinformation?
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MentalPhysiological
Economic
Physical
AddressesSocial identity
location data
BIOMETRIC
Social Security numbers
Names
Telephone and Area Codes
ZIP and other postal codes
identification number
driver's license numbers
Telephone numbers
onlineidentifiers
genetic
Cultural
So,whatmightneedtobemasked?
Howhardisthiswhilemaintainingreferentialintegrity?
Alldirectidentifiersandmanyindirectidentifiers.
@CAWORLD#CAWORLD17 ©2016CA.ALLRIGHTSRESERVED.
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AHybridApproach
§ Testdataismasked,makingsureatleastalldatais“pseudo-anonymized”unlessitcanbedemonstratedthatthereisconsenttouseitfortheexacttestingtaskbeingperformed
§ Movetowardsusingdatawithoutdirectorindirectidentifiers– i.e.fictitioussyntheticdatawhichisnotsubjecttotheGDPR
@CAWORLD#CAWORLD18 ©2016CA.ALLRIGHTSRESERVED.
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MovingTowardsaHybridApproach
1. Cultural:encouragepeopletousesyntheticversionsofdata– simulateproductiondataandensurethattestersusetheseversions
2. Blendinsyntheticformoreeffectivetesting:identifywheretoinjectsynthetictestdataandvirtualization,toovercomethenumberonechallengewithmasking:synchronizationacrosssystems
@CAWORLD#CAWORLD19 ©2016CA.ALLRIGHTSRESERVED.
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
BenefitsofSyntheticDataGenerationCATestDataManager
INCREASESECURITY
INCREASEPRODUCTIVITY
INCREASEAGILITY
INCREASEQUALITY REDUCECOSTS
§ Eliminatetheriskofinternalandexternalbreaches
§ EnsurePIIisprotected
§ Reducethetimespentpreparingdatabytenfold,from20%to2%
§ Reducethetimefindingdatafrommultiplesystemsby95%
§ Matchtherightdatatotherighttest
§ Testnewapplications
§ Achieve100%functionaltestcoverage
§ Enableself-service§ Quicklyrespondtochanges
§ Ensuretestdataisuptodate
§ Cloneanddeliverdatainparallel
§ Proactivelyestimatechangecosts
§ Decreasestorageandsoftwarelicensecosts
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ARAGGroup– CaseStudyCustomerSuccessStoryEnsuringdataprivacywhileeliminatingdefectsinproductionwithCATestDataManager.
CATestDataManagerallowsthetestanddevelopmentteamsatARAGtosuccessfullycreateandmanagetestdatathatisbothfit-for-purposeandofahighquality,whilealsosignificantlyimprovingtestingefficiency.
SOLUTION
Asaresult,ARAGcanbeconfidentthatthesolutionsitdeliverstoitsclerksareofahigherqualityandthedatausedtotestthosesolutionscomplieswithdataprivacyregulations.
RESULTS
ARAGneededtomaintaindataprivacyandanonymizedatausedinavarietyofsettings—includingtestanddevelopment.
CHALLENGE
21 ©2016CA.ALLRIGHTSRESERVED.
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo– TomFinch
BUILDINGSOMESYNTHETICDATA
CATESTDATAMANAGERWEBPORTAL
1
2
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
DO5T19S CaseStudy:GMFinancialBuildsaSustainable,Holistic,ContinuousDeliveryPractice 11/17/2016at4:30pm
DO5X42STestDataonDemand:DeliveringtheRightData,totheRightPlace,attheRightTime
11/17/2016at4:30pm
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
AchievingComplianceCATestDataManagerDevOpsTheatre5
ModernizeAppDeliveryCATestDataManagerDevOpsTheatre5
BuildTestDataQuicklyIntegratedContinuousDeliveryDevOpsTheater5
DeliverBetterAppsServiceVirtualizationDevOpsTheater5