Verizon recently blogged about one of its clients who caught an employee outsourcing his software development day job to China. While sitting at his computer working a normal day, he paid someone else to log into his computer using his physical RSA token which he FeExed to the contractor in Shenyang. He would spend the day surfing the internet while ironically, he was being recognized as the top programmer in the building.
Several media outlets have picked up on this story even going as far to say he is the ‘Tom Sawyer’ of the software developer community. An initial, common reaction to this story might make one chuckle. Not me. Think of how that single act of irresponsibility could bring an enterprise down or expose someone to identify theft.
Let’s take a look at the common software development lifecycle. A production application that may store sensitive or confidential information gets copied for developers to work from. Production data is considered the best set of data to run tests on because it eliminates any quality issues associated with real-life data sets. So naturally, with that production application copy comes production data.
Enter Bob. He ships his ‘keys to the kingdom’ to a contractor in China. Not only does the outsourced contractor have access the application code potentially inserting malware, that outsourced contractor has access to all test data – or in this case production data. What if that application was a human resources database with email, payroll and national identifier data? Or a retailer customer database with credit card information and shipping addresses? What about a pharmaceutical research database or a hospital electronic patient records database with your most personal medical information – or your child’s personal medical information? The story isn’t so funny anymore.
While security software cannot stop employees from making bad judgment calls, it certainly can protect an organization’s employee, customer, patient data during the software development lifecycle. Data masking is a best practice that has been proven to prevent sensitive data from getting into the hand of the wrong people throughout the application lifecycle.