Compuware Corporation has announced the results of a global CIO survey on attitudes and practices relating to the use of customer data in outsourced mainframe application development and maintenance. The survey found that despite significant security risks, 20 percent of companies do not mask or protect their customer data before providing it to outsourcers for application testing purposes. On the other end of the spectrum, 82 percent of companies that do mask their customer data before providing it to outsourcers describe the process as being difficult; and 56 percent of those that mask claim that masking data negatively impacts the quality of their testing and QA processes. Notably, 30 percent of companies do not provide their outsourcer with customer data at all; despite the fact test data should reflect production data conditions as closely as possible.
"If applications are to be tested thoroughly, particularly in the complex world of the mainframe, test data conditions should reflect live data conditions as closely as possible or the application may not perform well in production," said Kris Manery, Senior Vice President and General Manager, Mainframe Solutions, Compuware. "Because the mainframe is central to the functioning of many businesses, any application downtime or disruptions can be disastrous. This presents a challenge to companies working with third parties to develop and maintain such applications, as it means organizations have to hand over their customer data. Providing third parties with unprotected customer data not only increases the potential for data to be misused or stolen, but can also put companies in danger of violating data protection regulations. Either could seriously impact revenues and reputation should a breach occur."
Data Privacy Concerns
The research highlights the fact that a number of companies are providing outsourcers with unprotected customer data to test applications. Most countries have strict data protection laws governing the use and sharing of customer data with third parties, but many companies appear unsure about the regulations in place and how they are affected by them:
* 43 percent of respondents that share customer data do not understand data protection laws and regulations
* 20 percent of companies do not mask customer data before providing it to outsourcers, as they fear doing so will impact the quality of their QA processes
* 87 percent of organisations that do not mask customer data before passing it to a third party rely on Non-Disclosure Agreements (NDAs) to protect their customer's data.
Unreliable Test Data
To avoid issues relating to data privacy, a number of organisations mask customer data or select small amounts of data rather than a full production copy, but this is a difficult process. Some go even further and do not provide any customer data to use in the testing process, forcing the need to create test data for application testing. This method, however, can be very expensive and time-consuming. These practices are impacting the quality of outsourced application development, as systems can't be thoroughly tested unless test data reflects current production data as closely as possible:
* 30 percent of companies do not use customer data when testing their mainframe applications
* 62 percent of companies that provide outsourcers with customer data use out-of-date data to test applications
* 82 percent of companies that mask their customer data before providing it to outsourcers describe the process as being difficult
* 56 percent of respondents that mask customer data believe the security measures they have in place to keep test data secure negatively impacts the quality of testing and QA processes.
"Companies appear to feel trapped between a rock and a hard place," said Manery. "Without the proper tools, disguising data is difficult; similarly, using a full production copy results in higher than necessary resource consumption and increases the privacy risk. Both methods impact quality, because they do not use up-to-date and accurate production data. Yet providing third parties with customer data is equally unappealing, because companies have to rely on insecure NDAs, creating a risk of a data breach. What many don't understand is that there are methods, such as test data optimization, that allows companies as well as outsourcers to more easily create test data that can be processed efficiently while guarding against costly data breaches."