Last week I gave a talk at InformaticaWorld 2015 followed by a panel discussion with Manesh Gupta and John Gibel, both of Informatica. In the midst of talking about the different methods of securing test data we found ourselves in a really interesting conversation about data making and encryption. We searched around for a clear answer as to which made the most sense in a majority of use cases. In the end, we settled on “both” and “it depends”.
For those of you who don’t follow software testing, let me say, you should. It doesn’t matter your role in the software development process, everyone needs to test code and systems using some data source that mimics production data. With collaborative development, DevOps, mobile and cloud – both for and on these platforms – becoming more prevalent, the days when you could copy a chunk of production data and test away are long gone. There are too many ways that a test data set can find itself sitting in front of the wrong eyes. Those eyes might even be yours.
And this is where the debate starts. Data masking is great for securing discrete types of private data from being viewed by someone who should not and probably does not want to look at it. Encryption ensures that only authorized people, authorization given in the form of a password, can work with data at all.
Data masking helps hide specific data while making it useful for testing otherwise. Done properly, data masking not only replaces data with nonsense, it makes sure that the nonsense looks real. Encryption makes all the data unusable, including metadata, until decrypted. You can’t test with encrypted data until you unencode it.
These are, as the panel concluded, mutually beneficial approaches. If you are carrying test data around on a laptop or mobile device, you want to keep it encrypted until you need to use it. However, even after it’s unencrypted, some data may need to be masked to protect privacy. Encryption protects data from others’ eyes, data masking protects it from yours and anyone looking over your shoulder.
Developers and test data are more mobile than ever. Containers make it easy to move a development stack with test data around. Mobile devices and cloud deployments raise the risk that test data will end up somewhere other than intended. Encryption with data masking provides a complimentary approach that provides a safer environment than each individually does. It’s the belt and suspenders for test data.
