Data Scrambling in Business Applications

By Subraya Mallya - April 2008 | Topics - Audit, Compliance, Configuration Management, Data Security

If you are customer having a business application like Oracle E-Business Suite, PeopleSoft or SAP in production I am sure you have constantly run into this need to clone/replicate Production database.

Why would someone need a copy of production instance?

Some of the most common reasons are

  • to create a test environment with representative production data
  • to create a production support environment
  • to create a custom development environment.
  • to do volume testing
  • to perform integration testing
  • and many more

What should we be asking ourselves?

Every time you are faced with this need, besides the entire logistics, the hardware, software and storage needs, you have think about the governance aspects. (If not asked, it better be)

  1. How do we make sure critical/personal data stored in production is not exposed to the unauthorized users of the development environment?
  2. What subset of data should we prune?
  3. Which data do I mask/scramble?  If, I did that how would itmpact the quality of the environment?

What is critical data?

If you consider the entire ERP, Supply Chain and CRM product footprint, there are large number of data points that are considered business critical, personal and legal. Any/All such data points are considered out of bounds when it comes to access by any of the unauthorized users. The user base we need to think about are third party consultants, testers, IT staff, helpdesk, partners, you get the idea.

Here are some of the key entities/data elements that you MUST have in your list of things to scramble

  1. HR Data (employee SSN, Date of Birth, Addresses, phone numbers)
  2. Payroll Information (employee payroll data, bank information)
  3. User Login Information (encrypted password in FND_USER)
  4. Credit Card Information (stored for either Receivables or Payables)
  5. Supplier Bank Information (in case it is stored for automated payments)
  6. Customer Information (contacts, addresses, bank accounts, if any)
  7. Critical Sales Opportunities (could include material information deemed as insider information)

What is Data Scrambling?

Data Scrambling or Data Masking is a technique used to mask critical data sets, attributes so the critical data is not visible to the users of the cloned/non-production database copied from production. Steven Chan has a detailed explanation on the same.  The Application Management Pack in Oracle Application Manager allows administrators to define policies to scramble data on the clone.

You should also check out the Data Sheet Oracle has published on Data Masking.

Plan of action

Any of those replicated/cloned environments are considered open or semi-regulated and hence the pre-requisite for such environments should be data masking, pruning to eliminate any of the critical data.

Work with your corporate counsel to understand the regulatory compliance mandates that you are required to comply with. If you are a public company, most often that not, you will be required to comply with Sarbanes Oxley (SOX) 103,105,404 and 802  and PCI, Graham Billey Leach Act. If you are in the Health Care industry you might have needs to comply with HIPAA and likewise if you are in a Process Manufacturing company you might have CFR Part 11 and other regulations.

All the guidelines that apply on a production database in terms of access control/data security also apply to any copies of the production database.

If you are looking for more detailed information or help with defining Data Scrambling policies send me a note. I will be happy to share.

Back to Top
%d bloggers like this: