How to secure non-production data: A Guide.


Production data and non-production data are very important to an organization of any size. And sometimes real production data makes it to non-production data in databases. That is one of the reasons why securing the data is so crucial. In this post, we are going to explain what production data and non-production data are. Then we’ll show you how to secure non-production data.


Before we talk about securing non-production data, let’s discuss what production data and non-production data are and how they differ. 


Production data is the data that is the business. Every organization, whether a startup or a big multi-national company, has critical data. For a bank, the customer data and the transactional data are production data. And for an e-commerce giant, the production data is the product catalog, the user information, and the transaction. This kind of data is secured with the best systems available. But any data taken by a hacker can cause both reputational and financial losses. 


Non-production data is generally used for testing and development purposes. In an ideal scenario, it should be fake data, but it should emulate real data. Suppose your production database contains 10 million records. That means the test database should also contain 10 million records. One thing to note is that only the action load and performance testing can be done. But sometimes the developers and testers require real production data. And in such cases, they are given a subset of the data, which is generally replicated. This is the reason why securing non-production data is so important. Even if this subset of production data is stolen by a hacker, it can cause havoc in the organization. 


Every organization uses databases. The data is the main part of the business, and in most cases, it’s the business itself. Now, whether this data is stored for internal purposes (like data on all the employees) or for external purposes (like the catalog of an e-commerce site), it is all considered production data. Every developer needs to work with databases to develop applications. They cannot work on production data, as they can corrupt it or, in worst-case scenarios, delete it. So, all developers work on non-production data from non-production databases. This data generally consists of fake records that replicate the original production database. But in some cases, it contains some real data, as the developers need to check the real structure of the records. The testers testing the database or application work on both production and non-production data because they need to test the application before it goes live in production to real-world users. They also test the production data the way an end user experiences it once the release goes through to production. 


As discussed earlier, the non-production data used by developers can also contain sensitive production data. These records can be sensitive records like credit card details, bank details, and even Social Security numbers. The exact data is not required by developers, but they at least need the structure of the database and the schema of the record. Now, before giving the data to developers or testers, it’s important to mask sensitive data through data masking


As the name suggests, we mask the original data before handing it to the developers or testers. In this process, the company first decides on the sensitive data that cannot go to the non-production database. The perfect masking needs to be done in a manner where the original data doesn’t go to the developer. But the data should have some meaning—a zip code should be a valid one. Some of the methods used for masking are shuffling and multiplier. In shuffling, the names are changed, so John becomes David and vice versa. And in multiplier, a random number is added to numeric data like dates. So, 12/31/2010 becomes 13/11/2019. Data masking is generally done with the help of tools, which we will look into in the next section. These tools mask data in two ways: static masking and dynamic masking. In static masking, the production database is used to create a static database, which contains masked data. This masked data is then used by developers and testers. In dynamic masking, whenever the developer or tester makes some query to the production database, a proxy service receives the request. It gets the real data from the production database but converts it to dummy data by masking it. And then it returns this masked data to the developer or tester. 


Here are some of the top data masking tools available. 


The Enov8 Test Data Management platform speeds up your development & testing process by identifying where data security vulnerabilities reside inside your databases, rapidly remediating those risks, through masking, to avoid breaches and automatically validate PII compliance success. It also comes with IT delivery accelerators for example: Data provisioning (DataOps) automation, Data Mining & Test Data Booking features. Enov8, geared for the larger enterprise, is probably the most “holistic” or feature rich solution.


Oracle Data Masking and Subsetting is a solution from a top provider that also runs on non-Oracle databases. It completes the masking in very little time. Besides masking, it also helps remove duplicate data in testing and development databases. The only drawback is that since it comes from a top vendor, it’s costly. For pricing details, you need to contact Oracle directly. 


Informatica’s persistent data masking tool is again a solution from a top vendor. It is created with big enterprises in mind and helps set data masking from a single location. That means the administrator can set the masking from a single place. It also supports a huge volume of data to mask, which is not possible with small solutions. It is again costly because it is an enterprise product. But Informatica offers a 30-day trial period. 


K2View’s Data Product Platform is one of the top data masking products on the market, and it does both static and dynamic masking. K2View not only masks traditional data but also records PDFs and images. In fact, it even masks the original image by blurring it. Because of the cost, it is most suitable for large organizations. 


DATPROF’s data masking tool has a state-of-the-art algorithm, which not only masks the data but can also generate a lot of dummy data from it. Besides traditional data, it also supports XML and CSV files. It has an easy-to-use interface and can create templates, which can be used later. The drawback of these templates is that they can be created on a Windows machine only. It does support a large number of records. 


Accutive Data Discovery and Masking is a top tool that also does data discovery of sensitive data. This is done automatically and can use preconfigured keywords. Or keywords like “credit card” or “Social Security numbers” can be added by the administrator. Besides this feature, the masked data is consistent across multiple destinations. Like if the masking of Rohit is done to John in the development database, then it is the same in the testing database. Also, data can be moved between multiple kinds of databases. It can be moved from an Oracle database to a MySQL database, or from a flat file to a MySQL database. The UI is very easy to use, and they have one of the most cost-effective products.


In this post, we first discussed production data and non-production data, as well as the differences between them. Then we reviewed how to secure non-production data through the process of data masking. This process masks sensitive data from the users of non-production data. We also looked into the top tools available for data masking. 


This post was written by Nabendu Biswas. Nabendu has been working in the software industry for the past 15 years, starting as a C++ developer, then moving on to databases. For the past six years he’s been working as a web-developer working in the JavaScript ecosystem, and developing web-apps in ReactJS, NodeJS, GraphQL. He loves to blog about what he learns and what he’s up to.

Leave a Reply