April 8, 2024

Separation of environments: Keeping production data safe in development

Separation of environments: Keeping production data safe in development

A lot of time is spent on the developer experience, yet access to and the quality of production environments has become an key consideration for developers when choosing their next team. However, non-production environments, left to the QA and test engineers, while crucial as they serve as the testing grounds for new applications and releases, has not received nearly the same attention and innovation over the last two decades - just look at the Test Data Management landscape. With more production data coming in than ever before, the use of real data in these settings can be enticing but come with serious risks as data regulations get tighter. 

In this article we’re exploring the critical role of non-production environments in today’s modern engineering organization, emphasizing the importance of data provisioning, testing, and security. We’ll walk through various types of testing environments and strategies for ensuring data consistency and integrity. As well as the risks associated with using production data in non-production environments, and how AI is reshaping the way we address these risks and support our testing and QA teams in their efforts to release better software, faster, and with less bugs.

The role of data non-production environments in software development

Non-production and preview environments are only as good as the data being used. Ask 100 engineers what data they would ideally be using in testing and development? Most if not all will tell you the closer the data they are using is to production, the better. Synthetic data or fake data, is a bit like thinking your fluent in French without ever stepping foot in Paris. Sure you can speak the language but when it comes to using it on the ground in La Marais, the real world isn’t the same as a scripted conversation on Babble. 

However, using production data in theses environments also raises major compliance risks and security concerns. Technical data access controls must adapt to the unique challenges of non-production settings, such as deploying incomplete features or temporary security measures inherent in the development process.

Elevating non-production environments in innovation

Non-production environments often receive less attention in innovation initiatives compared to production environments. However, these environments hold untapped potential as creative spaces for exploring new ideas and enhancing software functionality. By shifting focus towards non-production environments - coined “shift-left” -  and leveraging their capabilities for experimentation and development, organizations can accelerate innovation cycles, drive software evolution, and maintain a competitive edge in today's dynamic market landscape. Investing in the optimization of non-production environments is key to fostering a culture of innovation and achieving sustainable growth in software development endeavors.

Types of testing environments and their role in data utilization and security

Software development is not just about writing code; it's also about testing and delivering a reliable product that customers love. That's where different types of testing environments come into play, each serving a unique purpose in the software development lifecycle and playing a critical role in data utilization and security.

The Development Environment: Initial stage for developers to test new features safely without impacting users or systems. Employs data masking and synthetic data for realistic scenarios.

The Preview Environment: Platform for quality assurance and testing, mirroring production to assess functionality and address bugs. Utilizes advanced test data provisioning techniques.

Integration Testing Environment: Tests interactions between components, requiring accurate data provisioning.

User Acceptance Testing (UAT) Environment: Pre-production space for client verification, requiring data obfuscation.

Load Testing Environment: Evaluates system behavior under operational load, utilizing synthetic data for realistic simulations.

To ensure security within these non-production environments, sensitive data should be handled with care—scrambled, encrypted, or anonymized—to mitigate risks. Moreover, technical controls, such as prompt data deletion when no longer necessary, are imperative to prevent breaches and compliance violations, especially when cardholder data or other sensitive customer information is involved. By prioritizing these measures, enterprises can maintain the integrity and confidentiality of their data across all software environments.

Performance testing in non-production environments

Performance testing in non-production environments plays a crucial role in software development. It stresses the software under test conditions like heavy user loads or data processing on a massive scale to predict how new releases will perform under actual production conditions. This proactive analysis is essential for identifying performance bottlenecks that could lead to poor user experience, downtimes, or system crashes.

Non-production environments dedicated to performance testing, such as Performance Testing or Load Testing, simulate real-world traffic, offering a controlled environment to fine-tune system resilience. By adopting this rigorous approach, development teams can optimize software performance and deliver a product that's not just functional, but also robust and user-friendly.

In the performance testing landscape, certain key activities include:

Load Testing: Evaluating performance under expected loads, utilizing synthetic data generation to simulate diverse user interactions and data scenarios without exposing real user data.

Stress Testing: Determining the system's breaking point, employing data obfuscation techniques to protect sensitive information while subjecting the system to extreme conditions.

Volume Testing: Verifying software behavior with a large amount of data, necessitating efficient data provisioning methods to ensure accurate representation of production data volumes.

Such thorough testing within non-production setups ensures that systems can handle the demands of actual production loads, enhancing overall software quality and user satisfaction.

Real-world scenarios and resilience testing in non-production environments

As engineering teams strive to enhance the reliability and resilience of both infrastructure and products, testing in controlled non-production environments alone falls short in preparing for real-world unpredictability. To bridge this gap, Real-World Scenarios and Resilience Testing are imperative, exposing systems to elements of unpredictability like network outages or sudden spikes in web traffic. While practices like chaos engineering, exemplified by platforms such as Gremlin, stress-test infrastructure, there remains a significant need for innovation in applying similar methodologies to product or application testing. 

Beta testing serves as a crucial mechanism, enabling actual users to engage with the software within a staged environment, providing invaluable feedback on usability, functionality, and performance from a user-centric perspective, thereby refining the final product. Moreover, Security Testing Environments play a vital role in probing software for vulnerabilities, safeguarding sensitive data from unauthorized access or cyber-attacks by employing techniques such as data masking, encryption, and access controls to ensure robust security across all software environments.

Balancing the use of sensitive customer data in testing environments

One of the most delicate aspects of software testing involves the use of sensitive customer data. While production data offers the most realistic set of information for testing, its use in non-production environments comes with significant risks. To balance the need for authenticity in testing with the imperative of data security, various strategies are required.

Scrambling, encrypting, or anonymizing data are common methods to mitigate risk, and they should be part of any organization's practice when it comes to transferring sensitive information to a Testing Environment or Staging Environment. Additionally, these non-production systems should be designed with access controls that limit exposure to sensitive information, and procedures for securely deleting the data once it's no longer necessary.

However, while dummy data can provide a certain level of security, it may not capture all the nuances of real-world data, possibly leading to blind spots in testing.

The key challenges of using data in testing

Developers and testers frequently encounter the challenge of replicating real-world application conditions to ensure software resilience. This necessitates data that accurately mirrors active production environments and user behavior, posing difficulties in data provisioning and generation for testing. While synthetic data or fake data offers a promising solution with its artificially-generated datasets, often these are just virtual copies or require manual effort to scale.

Generating production-like data emerges as a solution to this dilemma. Algorithms informed by application scenarios and business logic produce diverse datasets to effectively simulate required conditions. However, creating and maintaining this data presents its own challenges. The generated data must comprehensively cover all testing intricacies, and algorithms require constant updates to reflect evolving business rules and application demands.

When relying on production data, stringent measures must be implemented. Techniques such as scrambling, encrypting, or anonymizing data protect sensitive information, while robust security controls over the test environment prevent unauthorized access. Prompt data deletion post-testing is essential, ensuring data exists only for as long as necessary.

The risks of using production data in non-production environments

The practice of utilizing production data in non-production environments carries significant risks, particularly given the stringent data privacy regulations that organizations must adhere to. These actions inadvertently make these environments prime targets for hackers, exposing redundant copies of sensitive test data to potential cyber attacks and amplifying security vulnerabilities. Statistics suggest that there could be as many as 8 to 10 copies of test data for every production environment, thus exacerbating the number of potential points of exploitation.

To address this challenge effectively, it is essential to maintain an immutable data baseline in non-production environments. This not only helps mitigate vulnerabilities but also obscures any traces that hackers may leave behind. However, relying solely on these measures is insufficient; the very use of production data inherently increases the risk of breaches, necessitating a proactive approach to security measures.

To effectively mitigate these risks, organizations must employ a combination of techniques such as data scrambling, encryption, or anonymization. Additionally, robust security controls must be implemented to restrict access to sensitive information and ensure the prompt deletion of data post-use, thereby minimizing the digital footprint that cybercriminals could exploit.

In order to comply with data privacy regulations, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States, it is essential to ensure the safe and responsible use of production data in non-production environments. These regulations impose strict requirements on the handling and protection of personal data, necessitating organizations to implement robust security measures and obtain explicit consent from individuals for data usage. By adhering to these regulations, organizations can safeguard the privacy and integrity of sensitive information while conducting testing and development activities.

Ensuring data consistency and integrity in production systems

The lifeline of any production system is the consistency and integrity of its data. Real-world scenarios require test data to be as authentic as possible without exposing sensitive information, pushing the adoption of synthetic data forward as a modern solution. This approach facilitates the creation of realistic testing conditions that safeguard against the inherent risks of using actual production data.

Data masking is one such method that adeptly reduces enterprise risk by concealing sensitive information while maintaining the usability of the data for testing purposes. However, to achieve full authenticity in test conditions, production data – whether encrypted, masked, or de-identified – must be meticulously crafted to catch all edge cases, minimizing the risk of compromising sensitive information.

Securing non-production environments is just as critical as securing actual production systems. Inadequate access controls can lead to significant breaches, underscoring the importance of holistic security measures across all environments. By ensuring the rigorous application of these methods, enterprises can forestall potential data theft and guarantee the integrity and confidentiality of production data.

Maintaining referential integrity

Maintaining referential integrity in software development environments, especially in non-production systems, is a critical aspect of both effective development practices and robust security measures. When development teams engage in quality assurance and resilience testing, source code alterations must reflect an alignment with change requests and business requirements. This ensures that the development environment mirrors real-world scenarios without data discrepancies.

Respecting Data in Non-Production Environments: To safeguard sensitive customer information and uphold legal compliance, replicating sensitive production data into a development or pre-production environment is strictly governed. Explicit approvals are mandated before such data can be utilized, thereby preserving referential integrity and protecting against security vulnerabilities.

Security Measures for Data Handling: To prevent the type of breach that could compromise a production system, rigorous technical controls must be applied. Scrambling, anonymizing, or encrypting data are some of the techniques that can help maintain the purity of the information used during performance testing in non-production environments, such as:

  • Scrambling Data
  • Encrypting Information
  • Anonymizing Identifiers

Moreover, akin to access controls within actual production landscapes, test credentials demand equal safeguarding to negate any unauthorized access to systems. By implementing stringent security protocols and having technical measures in place, enterprises can ensure that their non-production environments remain secure and that the integrity of the data is preserved at all times. After data use concludes, its secure and timely eradication is paramount in sustaining the cycle of protection and integrity.

The future of test data using Generative AI

In the evolving landscape of software development, test data management is increasingly reliant on Generative AI (GenAI). This technology promises to transform testing and development by creating synthetic data that mirrors real production datasets. GenAI enhances efficiency and security protocols within testing operations.

By generating synthetic data resembling original datasets, GenAI provides development teams with valuable information for system training. This aids in improving performance without risking sensitive customer details. As the digital ecosystem shifts towards AI-driven test data management, the integration of security and optimization reaches new heights.

Generative AI becomes a cornerstone technology for fabricating realistic datasets, fortifying testing processes. It enables thorough examination of software environments without compromising data security. Whether protecting against data leaks or regulatory compliance, GenAI marks an era of efficient and secure test data provisioning.

Data masking with GenAI

Data Masking with GenAI secures sensitive information by substituting it with indistinguishable fictional counterparts. This technique maintains referential integrity among interconnected platforms while upholding privacy.

Securing enterprise data is crucial for regulatory compliance and business efficacy. Data Masking with GenAI ensures data privacy while maintaining operational efficiency.

Data subsetting with GenAI

Data subsetting addresses challenges in using production data for testing within non-production environments. With GenAI, security measures extend throughout the test environment, shielding confidential customer information.

Relegating data generation to QA engineers ensures real datasets are replaced with artificial substitutes, aligning with industry best practices and securing sensitive data.

Data generation with GenAI

Data Generation with GenAI offers a versatile approach to crafting custom test data. Tools like Redgate SQL Data Generator populate database tables with diverse data patterns, ensuring consistency and reliability in testing.

Using synthetic test data generation consolidates security within non-production environments, meeting the demands of rigorous testing and development processes.

In summary, solid test data management practices, bolstered by GenAI, ensure data security and seamless testing and development.

Where to go from here?

  • Explore's AI-driven test data generation platform to streamline your testing workflows.
  • Embrace a 'shift-left' approach to testing, integrating testing into earlier stages of the development cycle for improved code quality.
  • Engage in continuous learning and experimentation with AI-powered testing techniques to stay ahead of the curve.
  • Collaborate with AI experts, data scientists, and testing teams to develop custom AI solutions tailored to your specific testing needs.