To read this content please select one of the options below:

On data leakage from non-production systems

Jacqueline Cope (School of Computer Science and Informatics, De Montfort University, Leicester, UK)
Francois Siewe (School of Computer Science and Informatics, De Montfort University, Leicester, UK)
Feng Chen (School of Computer Science and Informatics, De Montfort University, Leicester, UK)
Leandros Maglaras (School of Computer Science and Informatics, De Montfort University, Leicester, UK)
Helge Janicke (School of Computer Science and Informatics, De Montfort University, Leicester, UK)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 9 October 2017

608

Abstract

Purpose

This study is an exploration of areas pertaining to the use of production data in non-production environments. During the software development life cycle, non-production environments are used to serve various purposes to include unit, component, integration, system, user acceptance, performance and configuration testing. Organisations and third parties have been and are continuing to use copies of production data in non-production environments. This can lead to personal and sensitive data being accidentally leaked if appropriate and rigorous security guidelines are not implemented. This paper aims to propose a comprehensive framework for minimising data leakage from non-production environments. The framework was evaluated using guided interviews and was proven effective in helping organisation manage sensitive data in non-production environments.

Design/methodology/approach

Authors conducted a thorough literature review on areas related to data leakage from non-production systems. By doing an analysis of advice, guidelines and frameworks that aims at finding a practical solution for selecting and implementing a de-identification solution of sensitive data, the authors managed to highlight the importance of all areas related to sensitive data protection. Based on these areas, a framework was proposed which was evaluated by conducting set of guided interviews.

Findings

This paper has researched the background information and produced a framework for an organisation to manage sensitive data in its non-production environments. This paper presents a proposed framework that describes a process flow from the legal and regulatory requirements to data treatment and protection, gained through understanding the organisation’s business, the production system, the purpose and the requirements of the non-production environment. The paper shows that there is some conflict between security and perceived usability, which may be addressed by challenging the perceptions of usability or identifying the compromise required. Non-production environments need not be the sole responsibility of the IT section, they should be of interest to the business area that is responsible for the data held.

Originality/value

This paper proposes a simplified business model and framework. The proposed model diagrammatically describes the interactions of elements affecting the organisation. It highlights how non-production environments may be perceived as separate from the business systems, but despite the perceptions, these are still subject to the same legal requirements and constraints. It shows the interdependency of data, software, technical infrastructure and human interaction and how the change of one element may affect the others. The proposed framework describes the process flow and forms a practical solution in assisting the decision-making process and providing documentary evidence for assurance and audit purposes. It looks at the requirements of the non-production system in relation to the legal and regulatory constraints, as well as the organisational requirements and business systems. The impact of human factors on the data is also considered to bring a holistic approach to the protection of non-production environments.

Keywords

Citation

Cope, J., Siewe, F., Chen, F., Maglaras, L. and Janicke, H. (2017), "On data leakage from non-production systems", Information and Computer Security, Vol. 25 No. 4, pp. 454-474. https://doi.org/10.1108/ICS-02-2017-0004

Publisher

:

Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

Related articles