Insights gathered by Delphix reveals that companies are not masking sensitive data
Delphix, the data virtualisation platform, has found that companies in the UK are leading their CEO to believe they compliant with GDPR (General Data Protection Regulation), when they actually have significant amounts of unprotected personal data. This was revealed when Delphix spoke to custodians of data to hear what they have to say when it comes to balancing access to data with data security.
Companies today are rushing to be more digital and for many organisations that means innovating at breakneck speeds. It becomes easier for things to fall through the cracks, and development / testing environments become a security minefield as a result.
With so many loosely managed and often unrefreshed development and test environments out there – both on-premises and in the cloud – Delphix spoke to CISOs, CIOs, testers and developers1 at UK companies to find out the state of play at their organisations.
Compliance conundrum
A key finding that emerged was that many businesses are either unaware or worse yet, unperturbed by the non-compliance of their test data – despite GDPR having cemented its position as a key business consideration in Europe.
The Vice President at an organisation revealed to Delphix that they do not mark personal data at all. This alarming finding was further echoed when a developer revealed that he did not know if any of their test data is GDPR compliant at all.
Perhaps even more shocking was a CISO admitting to telling their CEO that the company was GDPR compliant, despite having terabytes of unprotected personal data in non-production.
Keeping it confidential
Another key finding pointed to how many unauthorised personnel within companies were privy to confidential information they shouldn’t have access to. From salary details to private employee details, sensitive personal data is often held in test systems – a recipe for an embarrassing data breach.
One developer Delphix spoke to admitted to finding out the salaries of everyone who works in Accounting because of unmasked HR data. Another developer echoed this with the revelation that the server sitting under their desk contained a multitude of data they should not have access to.
On the other side, it was revealed that those who should be aware of sensitive data were in the dark with a CISO of an organisation disclosing that he had no idea how to find all of the company’s sensitive data and was certain that the vast majority of it is completely exposed.
Speed is of the essence
When trying to get to the root of the problem, Delphix found that a key reason for these bad – and at times non-compliant – data practices was due to frustrated developers who require data fast but aren’t able to get them due to data environments being expensive and time-consuming to create.
A DevOps Engineer let slip to Delphix that he averages 100 Battle Stars on Fortnite while waiting for data. Meanwhile, a tester admitted to spending at least 1 day a week browsing the web because of the time they spend waiting on data.
This points to a significant issue amongst UK businesses today – private data is not being treated with the care that it should be and key decision-makers within organisations are completely unaware of this.
Word to the wise
“These confessions should come as a wake-up call to the C-suite” said Eric Shrock, CTO at Delphix.
“It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is. Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster,” he added.
The vast majority of sensitive data in an enterprise exists in non-production environments used for development and testing. In fact, these environments represent the largest surface area of risk in an enterprise, where there are up to 12 copies for non-production purposes for every copy of production data that exists.
Businesses must therefore invest in enabling their development teams to build better software, both faster and more securely. Elements such as self-service data controls and data virtualisation can enable development teams to access a dataset whenever they need it, for the environment they needed it in – eliminating the need for a ticket-driven, request-fulfil model where teams have to wait on data for days on end.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.