Why Data Privacy And DevOps Should Always Work Hand in Hand

5/24/2021



 

Organizations have a responsibility to safeguard private data and to use that data responsibly. This is why we are currently seeing a slate of new data privacy laws following on from the notoriously stringent General Data Protection Regulation (GDPR), including the California Consumer Protection Act (CCPA), the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA), each with their own strict requirements for handling sensitive data. Non-compliance not only results in heavy fines, but also leaves businesses vulnerable to lawsuits and damage to their reputation.   
 

But it is not only compliance and privacy officers that need to be constantly alert and up to date. Data privacy also falls under the jurisdiction of DevOps teams. This is because development environments are often where the journey of data begins. 
 

If you’re new to Privacy DevOps, here’s a quick look at what you need to know. 
 

  

Privacy Threats  
 

Privacy of Personally Identifiable Information (PII) records can be subjected to two main risk factors, namely intentional and unintentional threats.   
 

Intentional threats include activities that can result in a data breach, such as malware, cyber-hackers, and malicious insiders. Once data has been breached, an individual’s privacy has been breached as well. In this case, data security and data privacy go hand in hand.   
 

Unintentional threats can include an unsuspecting insider being set up with malicious code designed to extract information from their computer without their knowledge, employee negligence, and accidental disclosure (such as the loss of a laptop).
 
  

When threats such as these arise, DevOps teams respond by tightening security. However, technical compliance developments in recent years have led to stricter enforcement of privacy and security frameworks (HIPAA/HITECH privacy frameworks, for example) as well as the creation of new stringent privacy laws. Used together, a data privacy and security framework should contain a collection of ad-hoc rules or an architected system of complex control measures to improve security and safeguard the privacy of sensitive data.  

 

This includes the implementation of a data de-identification tool like data masking. 

    

How Data Flows Across Environments  
  

Data flows across environments, across test environments, integration servers, desktops and more. Teams need to understand how data travels in and out of an organization and how an individual’s privacy is affected by these processes.     
  

There are two ways to obtain data for testing:  

  • Filling an empty database with test data or automatically filling it with synthetic data.   

  • Obtaining the necessary de-identified data from the production environment through an authorized person like a data controller, security officer, or product manager.  

   

Data privacy risk varies according to the size of the organization. Startups can be considered low risk, as little to no PII is being stored. Larger organizations in a state of constant development will have a continual flow of data and can therefore be considered high risk. Data masking should form a continuous part of development and DevOps processes to ensure maximum protection and compliance.  

   

When Is The Best Time To De-identify Data?  
 

As a result of teams operating in “silos” to keep up the required speed of production, data protection tools like data masking need to be employed before development takes place. This ensures that data protection methods meet compliance requirements before the data enters the development environment.   
 

Data masking tools work on the golden database copy of existing systems. By not employing a de-identification method at this crucial stage at the beginning of the cycle, an organization will automatically be deemed non-compliant. A data masking tool that integrates well with your existing architecture should form an essential part of your development toolbox.  
  

Hush-Hush SSIS Data Masking Components are an extension of SQL Server Integration Services that install, integrate, and get to work instantly to automate data protection in your business.  
 

Request a free demo or trial today. 

  


BuildNumber = dev_20210906.1