We just finished an intensive multi-month effort helping a premier multinational bank figure out how to eliminate production data from its development, test, and QA environments. One of the dirty secrets in our industry is that all too often real data is used in these environments without any of the controls normally associated with protecting account information, counterparty information, and firm specific intellectual property.
This general topic area is often referred to as Data Masking, but technically, data masking is simply one of many data obfuscation techniques. This particular project had some interesting challenges:
• The firm has both private banking and investment banking operations. Their data anonymization requirements varied substantially. For the investment bankers commercial off the shelf products and well known off-shore managed service providers satisfied its needs. In contrast, the private bank determined that based on local banking regulations, and its own risk appetite, that using anonymized data was insufficient because the original data might be disclosed via statistical analysis. The private bank requires the use of synthetic data, which has been created solely for development and test purposes and is not based on actual production data. To meet this need, it developed a customized solution in house.
• The firm outsources significant portions of its operation to lower cost geographies. This raises the challenge of complying with local data protection zone laws. The firm has to ensure that production data doesn’t leave its local jurisdiction while also ensuring that its off shore developers have data to work with that has internal coherence (e.g. twelve monthly net income fields actually add up to annual net income).
In the end, the complexity of the overall project was lowered by reducing the number of technologies and service providers. This reduction means that some parts of the bank have to migrate to different methodologies but the benefit is a significant reduction in support and maintenance costs. The bank can now also more quickly adapt to new anonymization requirements. Tackling data anonymization is a hard job but one that has the opportunity to protect the organization from leaking sensitive corporation information.
Jonathan is President & CEO of SystemExperts Corporation, a network security consulting firm specializing in IT security and compliance. Jonathan started the company in 1994. He plays an active, hands-on role advising clients in compliance, technology strategies, managing complex programs, and building effective security organizations. Jonathan brings a business focus to this multifaceted work balancing all technical initiatives with business requirements and impact.