If you are customer having a business application like Oracle E-Business Suite, PeopleSoft or SAP in production I am sure you have constantly run into this need to clone/replicate Production database.
Why would someone need a copy of production instance?
Some of the most common reasons are
- to create a test environment with representative production data
- to create a production support environment
- to create a custom development environment.
- to do volume testing
- to perform integration testing
- and many more
What should we be asking ourselves?
Every time you are faced with this need, besides the entire logistics, the hardware, software and storage needs, you have think about the governance aspects. (If not asked, it better be)
- How do we make sure critical/personal data stored in production is not exposed to the unauthorized users of the development environment?
- What subset of data should we prune?
- Which data do I mask/scramble? If, I did that how would itmpact the quality of the environment?
What is critical data?
If you consider the entire ERP, Supply Chain and CRM product footprint, there are large number of data points that are considered business critical, personal and legal. Any/All such data points are considered out of bounds when it comes to access by any of the unauthorized users. The user base we need to think about are third party consultants, testers, IT staff, helpdesk, partners, you get the idea.
Here are some of the key entities/data elements that you MUST have in your list of things to scramble
- HR Data (employee SSN, Date of Birth, Addresses, phone numbers)
- Payroll Information (employee payroll data, bank information)
- User Login Information (encrypted password in FND_USER)
- Credit Card Information (stored for either Receivables or Payables)
- Supplier Bank Information (in case it is stored for automated payments)
- Customer Information (contacts, addresses, bank accounts, if any)
- Critical Sales Opportunities (could include material information deemed as insider information)
What is Data Scrambling?
Data Scrambling or Data Masking is a technique used to mask critical data sets, attributes so the critical data is not visible to the users of the cloned/non-production database copied from production. Steven Chan has a detailed explanation on the same. The Application Management Pack in Oracle Application Manager allows administrators to define policies to scramble data on the clone.
You should also check out the Data Sheet Oracle has published on Data Masking.
Plan of action
Any of those replicated/cloned environments are considered open or semi-regulated and hence the pre-requisite for such environments should be data masking, pruning to eliminate any of the critical data.
Work with your corporate counsel to understand the regulatory compliance mandates that you are required to comply with. If you are a public company, most often that not, you will be required to comply with Sarbanes Oxley (SOX) 103,105,404 and 802 and PCI, Graham Billey Leach Act. If you are in the Health Care industry you might have needs to comply with HIPAA and likewise if you are in a Process Manufacturing company you might have CFR Part 11 and other regulations.
All the guidelines that apply on a production database in terms of access control/data security also apply to any copies of the production database.
If you are looking for more detailed information or help with defining Data Scrambling policies send me a note. I will be happy to share.
About Subraya Mallya
Subraya Mallya is a technology executive, entrepreneur involved in conceiving, building software businesses. In this blog, he focusses on business and technology strategies around Business Model, Product Development and Marketing. Connect with me on Twitter - @subrayamallya
April 30th, 2008 at 12:10 AM
Subraya — Good post. The need for data scrambling/masking is just picking up steam. I work for a software solutions provider, http://www.mentisoftware.com, and we have been in the market with data scrambling product (iScramble) for Oracle EBusiness suite, and this is our fifth year in operation. We are seeing an increased attention to this area now, and you are right on topic. Read this article from the Database Trends journal for a little more information on what we provide -> http://www.mentisoftware.com/data/DBTA%20March08.pdf
Best,
Rajesh Parthasarathy
April 30th, 2008 at 12:14 AM
Subraya – To suggest other areas, the industry based regulations are a good starting point. For example,
Gramm-Leach Bliley -> non-public financial balances (Banks, Credit Unions, Financial Services, Universities, etc)
HIPAA -> Healthcare information (Hospitals, Universities, etc)
And from a best practices perspective, protecting financial balances for the business as a whole is important (so that a developer does not end up analyzing performance and playing the stock market). We also have seen intellectual property stored in Oracle BOM and other manufacturing modules – protecting these is best practice as well.
Hope that helps.
Thanks,
Rajesh
March 4th, 2011 at 8:55 AM
Very well explained in laymans language.Best google search.
March 4th, 2011 at 9:14 AM
Thanks Avinash. Hope the post gave you all the information you were looking for.
October 11th, 2011 at 12:45 AM
I chose my graduate project to be on scrambling, pls i will kindly need materials, tutelage about data scrambling policies
My topic is Simulation of a 56Kbps Modem signal Scrambler
October 10th, 2011 at 11:45 PM
I chose my graduate project to be on scrambling, pls i will kindly need materials, tutelage about data scrambling policies
My topic is Simulation of a 56Kbps Modem signal Scrambler