Pre-Con Ed: Test Data Management and Compliance: Is your Test Data Ready for Another Regulation

World®’16

TestDataManagementandCompliance:- IsyourTestDataReadyforAnotherRegulation?BenRiley - PrincipalConsultant- CATechnologies

DO5X05E

DEVOPS

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

This90-minutepresentationwilldiscussthenewGDPRregulationandhowitimpactsyouruseofproductiondataintest.ThissessionwilldemonstratetheuseofCATestDataManagertocreatesyntheticdatafromscratchandhowyoucanavoidtheuseofproductiondataaltogether.

BenRiley

CAPrincipalConsultantPresales


Agenda

GDPREXPLAINED

WHAT'SSOIMPORTANTABOUTTHEGDPR

HAVEIDONEENOUGH

WHO'SAFFECTED

DATABREACHES

STRATEGY&APPROACH

1

2

3

4

5

6


GDPR– ExplainedGeneralDataProtectionRegulation

§ NewEUdataregulationsintendstounifylegislation,sothatasinglesetofrulesappliesacrosstheEU.

§ WhentheGDPR comesintoforceon25May2018,allorganisationsthatprocessthepersonallyidentifiableinformationofEUresidentswillberequiredtoabide byanumberofprovisionsorfacesignificantpenalties.


What’ssoimportantabouttheGDPR?

§ Whoisitgoingtoaffect?

§ WhatarethePenalties&Sanctions

§ DataBreachRegulation&Process

§ RighttoErasure

§ PrivacybyDesign– SDLCImplications.

GDPR– GeneralDataProtectionRegulation


Whoitappliesto?

§ Non-EUorganisationsthatdobusinessintheEUwithEUdatasubjects'personaldatashouldpreparetocomplywiththeRegulation.– DoyouworkwithE.Ubasedcompany’s?– DoyouhaveacustomerbasefromwithintheE.U?– Doyouhaveastrategytocomplyandisitstrongenough?

GeneralDataProtectionRegulation


WhatarethePenalties&Sanctions?

§ ToughPenalties– FirstBreach2%GlobalTurnoveror$10,000,000 (Whicheverisfirst)

§ Ifacompanystillfailstocomplytoasecondaudit…– 4% Globalturnoveror$20,000,000

§ Company’swillbegiventimeto‘correct’issueswhichcanbecorrected.RegularAudits willalsobeputinplaceforoffendingorhighriskcompanys.



DataBreachRegulation&Process

§ Theconsentdocumentshouldbelaidoutinsimpleterms.– Silenceorinactivitydoesnotconstituteconsent;clearandaffirmative

consenttotheprocessingofprivatedatamustbeprovided.

§ Datacontrollerswillberequiredtoreportdatabreachestotheirdataprotectionauthority.– Thenoticemustbemadewithin72hoursofdatacontrollersbecoming

awareofit.– Regularsupplychainreviewsandauditswillberequiredtoensurethey

arefitforpurposeunderthenewsecurityregime.



RighttoErasure

§ Therighttoerasureisalsoknownas‘therighttobeforgotten’.– Thebroadprincipleunderpinningthisrightistoenableanindividualto

requestthedeletionorremovalofpersonaldatawhetherthereisnocompellingreasonforitscontinuedprocessing.§ Wherethepersonaldataisnolongernecessaryinrelationtothepurposeforwhichitwasoriginallycollected/processed.

§ LegalObligations§ Thepersonaldatawasunlawfullyprocessed§ Whentheindividualwithdrawsconsent.



PrivacybyDesign

§ TheGDPRrequiresthatprivacyisincludedinsystemsandprocessbydesign.– Thismeansthatsoftware,systemsandprocessesmustconsider

compliancewiththeprinciplesofdataprotection.– Theessenceofprivacybydesignisthatprivacyinaserviceorproduct

istakenintoaccountnotonlyatthepointofdelivery,butfromtheinceptionoftheproductconcept.



GDPR– KeyTermsGeneralDataProtectionRegulation

§ PersonalData:– Meansanyinformationrelatingtoanidentifiablenaturalperson– Anidentifiablenaturalpersonisonewhocanbeidentified,directlyor

indirectly

§ CoreIdentifiers– Name,anidentificationnumber,locationdata,anonlineidentifieror

tooneormorefactorsspecifictothephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.


GDPR– KeyTermsGeneralDataProtectionRegulation

§ DataBreach– Abreachofsecurityleadingtotheaccidentalorunlawfuldestruction,loss,

alteration,unauthorised disclosureof,oraccessto,personaldatatransmitted,storedorotherwiseprocessed;culturalorsocialidentityofthatnaturalperson.

§ RichardHammond,TopGearPresentercrash2006– Aninvestigationhasbegunafterhospitalstaffwereaccusedofspyingon

RichardHammond'smedicalrecords.– LastJuly,healthbossesvowedtocrackdownoncomputersecurityafteritwas

reportedthatpatients'recordsattheTrust'shospitalwereused"inappropriately"morethan70,000 timesinonemonth.


DataBreaches

§ BrightonandSussexUniversityHospitalsNHSTrust(2010)– TheInformationCommissioner(ICO)endedupimposingafineof

£325,000aftersensitivepatient dataofthousandsofpeoplewasdiscoveredonharddrivessoldoneBay.

§ SonyPlayStationNetwork(2011)– Thelargestdatabreachinhistoryatthetime,Sony’sdisastrous2011

breachsawhackersmakeoffwiththecustomerrecordsof77millionpeoplerelatingtoitsPlayStationNetwork,includingasmallnumberrevealingcreditcardnumber

GDPR


DataBreaches

§ Kiddicare (2016)– ParentingretailerKiddicare hassufferedadatabreachthatexposed

thenames,addressesandtelephonenumbersofsomeofitscustomers.§ WhencustomersstartedreceivingsuspiciousSMStextmessagesaskingthemtotakeanonlinesurveyandaninvestigationeventuallyuncoveredtoerror.

§ Thecompanysaidithademailed794,000peoplewhomayhavebeenaffectedbytheincident.

§ Itsaidthedatahadbeentakenfromaversionofitswebsitesetupfortestingpurposes

GDPR


GDPRimpactonTestDataGDPR

§ SinceusershavetherighttowithdrawconsenttousetheirdataforTestingpurposerightfiltersandprecautionsneedtobeplacedwhilecopyingdatafromproduction– Discoverandidentifyallpersonaldataacrossdatabasesandfileformats– Theuseofpersonaldataforapplicationtestingmustbedisclosedtousersasa

“legitimateinterest,”consentobtainedandthedatadeletedwhentestingisfinished.

– Toreduceriskassociatedwithbreachesmask,personaldatawhenitsbeingusedforlowerenvironments


GDPRStrategy+TestDataManagementWhattodo..

§ ThisRegulationdoesnotapplytothepersonaldataofdeceasedpersons.

§ Imposeaproperaudit,process&strategicinitiativeacrosstheorganizationtoimbedkeyprincipals.


Atypicalenvironmentspace+issuesProduction

MainframeCoreapplicationHub

DistributedWorld

Oracle

SQLServer

RelationallyComplex

HighlyIntegrated

Legacy

BigData

Sensitive

Unknownstructures

Hard.

TestingEnvironments

MainframeCoreapplicationHub

DistributedWorld

Oracle

SQLServer

FullDBCopies

ProductPIIData

Lesssecurethan

production


TestDataManagement

§ WhereismyPIIhiding?– Isitsecure?

§ DoIhavetheapplicationknowledgetofindit?

§ AmIconfident,thatifauditedIwouldpass?

DataProfiling


TestDataManagementHowdoesCATDMapproachdatadiscovery


TestDataManagement

CATDMcontainsdatasamplingandadiscoveryfunctionalityforprofilingdata.§ Stringdataanalysis:Numericattributes,

suchasdateformatstimeformatsetc.§ Datavalueanalysis:Comparisons

withexistingreferencedata§ Lexicalanalysis:Analyzingpatterns,

characters&columns

HowdoesCATDMapproachdatadiscovery


Whatnext…?DoImaskdataorgeneratenewdata?

ShouldIfixwhatIhave?

ShouldIgeneratenew?


Fixwhatyou’vegot

§ CanwesecureexistingproductiondataforDev/Test?– Yes.Butit’softendifficult.– MaskingIshighlycomplex– oftensomeinformationisleftinasaformofcompromise.– ThedefinitionofPersonalInformationisgrowingincludinganythingrelatedtogenetic,

mental,economic,culturalorsocialidentity

§ Howhardisit?– Howeasyisittomaskallofthiscontent,whileretainingthereferentialintegrityneeded

fortesting?– Canyoureverseengineerdatafromcomplexrelationshipsusingapieceofexternal

information?

DataMasking


Fixwhatyou’vegot

§ CATDMhasahugenumberofmaskingfunctionstosecuretestdata&environments.

§ Werequireapplicationknowledgeandprofilingiskey.– Maskingisgreatwhendonewell.Ifyoumisssomethingyouareintrouble!!

§ CATDMhandlesreferentialintegrity&databasechanges.

DataMasking


OrGenerateNewData…?

§ Canwegeneratesecuredataintooursystems?– SyntheticTestDataisgeneratedfromscratch.Itcandrawnfrom‘real’

databutdoesn'tneedto.Itisthereforeentirelysecurefortesting.

§ E-Commerce– Lookuparandomproductandpriceinmytargetsystem,andthen

applyittomygenerateditemsandtheordertotal.

§ BankingandFinancialInstitutions– GeneratePaymentsagainstaninvoice.– Extractasubsetofclaimsandtheirhistory,andmergethemintomy

developmentsystem.

SyntheticTestData


GenerateNewData

§ CustomerCare– Createasetofsyntheticcustomerswiththesamecorecharacteristics

asproduction.– Then,create dataforaperson,addressandneworder.

§ CreditCardManagement– Create asetofcreditcardeventstotestmyfrauddetectionengine.

IncludetheexpectedresultFraud/NotFraudinthecommentssectionofthexmlmessagesoIcantestwhetherthecodehasdetectedtheeventscorrectly.

SyntheticTestData


TheHybridSolution

§ AutomatePIIdiscovery.Don’trelyfullyonSME validation.

§ Makesurealldatais“pseudo-anonymized”.– Theonlycaveatforthisisifyoucanprove consentforuse.– ThismeanscorePIIvaluesaremasked,preventingreverseengineering.

§ CreateTemplatedDataSynthesisroutines– Allowyourtesterstochoosewhatdatatheyneed,earlierinthetesting

phase.– Embracethechangeofapproach

Masking+SyntheticTestData


TestDataManagementPainPoints– EnvironmentFocus

§ RefreshofTestDatausingProductionDataisinefficient,intermsoftimeandcost– FullCopiesofproductionareoftenused– AvailabilityofProductionSystemsislimited– IssuesareamplifiedinMainframeenvironments

§ Anyuseofproductiondatarisksnon-compliance– Dataprivacylawsbeingstrengthened(e.g EuropeanGDPR)– Branddamageandpotentialfinesfordatabreachrepresenta

significantbusinessrisk– Testenvironmentsareinherentlylesssecurethanproduction


TestDataManagementPainPoints– Testing/QualityFocus

§ Thedataisnotofsufficientqualityfortesting– Productiondataisdrawnfrombusinessasusualscenarioswhich

typicallyhaslimitedcoverageoftheteststhatneedtoberun– Itisnotfitbyitsverynatureasitdoesnotcontain“baddata”,future

scenarios,unexpectedresultsandoutliers

§ Toomuchmanualeffort– Manualdatacreationisprohibitivelyslow,andscriptsorworkbooks

havetobeupdatedeachtimeachangeismade

§ Testersspendupto50%oftheirtimemanuallyfinding/creatingdatatomatchtestrequirements/criteria


TestDatashould…

§ Provideastandardsetofdatatotestwith§ Be“production-like”andyetcoverallpossibleteststhatneed

toberun,includingfutureandnegativescenarios§ Containenoughdatatotestwithrepeatedly§ Beup-to-date,whilealsocontainingallpreviousdataasrequired§ Containnosensitivedata§ Beprovisioned‘On-Demand’

– AspartofEnvironmentBuild– Allocated/reservedfortests&testcases


CATDMCapabilities

3 4 521

Createsmall subsets;Identifysensitivedata&replacewithmeaningful

equivalents

Capture theDataModelAnalyse databasedontest

requirements

Generate SyntheticDatatoimprovedataquality

Find/Allocate/Reservedatafortests

RapidlyprovisionFitforPurposeData

On-Demand


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

DO5X22E Pre-ConEducation:ManagingTestDataAcrossDistributedandMainframeSystems 11/14/2016at10:30am

DO5X21EPre-ConEducation:AnOverviewofHowCATestDataManagerHelpsDeliverRigorouslyTestedSoftwareEarlierandatLowerCost

11/14/2016at1:00pm

DO5X06L TestDataManager- Masking,subsetting andgeneratingsyntheticdata 11/15/2016at09:00am


MustSeeDemos

ModernizeAppDeliveryIntegratedCDTheater5- DOV501P

DeliverTestDataFasterTestDataManagerTheater5- DOV511P

DeliverBetterAppsServiceVirtualizationTheater5- DOV507P

OrchestrateYourReleaseReleaseAutomationTheater5- DOV513P


Thankyou.

Stayconnectedatcommunities.ca.com

@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.36 @CAWORLD#CAWORLD

DevOps– ContinuousDelivery

FormoreinformationonDevOps– ContinuousDelivery,pleasevisit:http://cainc.to/PiTFpu

Technology

Pre-Con Ed: Test Data Management and Compliance: Is your Test Data Ready for Another Regulation