By Allan Peters

Most business enterprises are well aware of the need to protect their production computers from unauthorized access. Data security procedures are now routinely required by governmental regulation, such as Sarbanes-Oxley or HIPAA, or by industry self-regulation, such as through the PCI Security Standards Council. Even with such requirements, reports of data breaches are regularly reported in the press, exposing businesses to fallout ranging from unwanted media attention as the most basic response to potential legal exposure and costs as the most severe.

While the industry has moved to deal with the most egregious aspects of data theft, many computer systems still remain vulnerable to attack at some level. But there is yet another tier of computer data that remains practically untouched and unprotected by today’s new data security procedures – non-production systems used for in-house development, testing and training purposes. These “open” systems leave a large hole in the security practices at companies of all sizes and locations across the globe.

To put the size of the security threat into perspective, according to the Privacy Rights Clearing House (www.privacyrights.org), there have been over 605 reported breaches resulting in over 167 million data records containing sensitive personal information compromised since January 10, 2005. These 167 million data records are estimated to be less than half of the actual number of data records compromised as numerous reporting organizations either did not know the number or did not disclose the number of records compromised.

The organizations affected include both public and private companies, non-profits, and municipal, county, state and federal governments. Literally every industry is touched, and highly sensitive health, financial, employment, credit card, social security and other personal information (data) is compromised.

Understanding the Threat

Insider threats lead the way, accounting for approximately 60% of the breaches. The black market for sensitive personal information provides a powerful lure to some individuals, as stolen data has become a highly lucrative business. For example, credit card information brings $1.50/record and medical identity card information is worth even more at $5-$50/record.

Most organizations prefer to test their applications with “real data” in both their development and test environments, as this provides the best scenario to ensure applications work properly. However, typical control (people, process and technology) practices and security measures taken in development and test environments are a fraction of what is practiced within production environments. As a result, many companies inadvertently jeopardize highly sensitive information at the application development level.

According to Louis Carpenito, CISSP CISM, an independent senior security executive with a lengthy record of data security experience with such organizations as Symantec, Fidelity Investments and Johnson & Johnson, “In today’s software development world, many organizations have diversified their development resource. They either have development sites off shore (owned or contracted), contract coding to companies within their respective countries, hire contractors to work within their development facilities, and/or employ people to develop their software.”

“Since non-production environments are generally open with little or no logging and monitoring and are often accessed remotely,” Carpenito says, “they pose an easy target for data thieves, and quite simply invite both inside and external threats to harvest sensitive personal information with relative ease and without detection.”

In order to shore up defenses against these potential data breaches, organizations need to ensure they protect confidential data contained in non-production environments According to a Gartner Research (www.Gartner.com), businesses experience losses of up to $60 billion annually due to security gaps. In fact, removing a defect after software is operational can cost between two and five times as much as correcting the error within the development and QA process.

To help secure the many unprotected copies of confidential data that exist across the enterprise, a new class of data security software is being developed to enable organizations to automatically apply protection schemes to sensitive data while maintaining its integrity and test validity. This technology should cover three crucial components for addressing data security at the application development level.

First, organizations should seek a solution that enables them to use, customize and create sophisticated rules for masking or obfuscating sensitive information that has been moved into testing, training and other sandbox environments. Second, they should ensure their solution provides access control to sensitive information within systems like SAP. Finally, an effective solution will automatically identify and change every instance of sensitive data element in SAP’s complex data structures to minimize manual processes involved in securing information across all testing and development processes and systems.

Beyond meeting legal requirements imposed by data privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley requirements, maintaining data security on development, test and training systems can lower exposure to legal costs incurred in defending lawsuits by avoiding circumstances where sensitive data is lost, stolen or inappropriately accesses and used for illegal purposes. Appropriate data security software provides the means to make data safe for test environments, while meeting stringent legal requirements.

The threat to sensitive and confidential data is real and growing. According to Pam Dixon from the World Privacy Forum report on Medical Identity Theft: The Identity Theft That Can Kill You: “…medical identity theft is deeply entrenched in the healthcare system.” Her conclusion is that in addition to the financial consequences for identity theft victims, there is also significant risk of harm to the victims from erroneous information in their health files from an imposter and therefore legal exposure to the organization that did not protect against the theft.

Now more than ever companies need to find an increased understanding of the significance to protect sensitive personal information wherever it may reside within the organization. There is just too much sensitive personal information (data) in electronic form that is contained and flows throughout company systems. Data obfuscation as well as access control are tools that can and should be implemented to protect the information technology infrastructure.

Allan Peters is the chief executive officer for Gamma Enterprise Technologies, Inc. www.GetGamma.com