Bookshelf Home | Contents | Index | PDF     

Siebel Security Hardening Guide > Performing Security Testing >

Using Masked Data for Testing

If making a copy of the data in your Siebel production database for security testing or development purposes, then mask sensitive data.

Data masking hides sensitive information by replacing it with similar-looking but nonauthentic data. Effective methods of data masking protect the original data by ensuring it cannot be recovered from the masked data while providing a version of the data that is functionally equivalent for testing purposes. Data, such as personal details and credit card information, must always be masked when used outside the production environment.

Siebel Business Applications do not provide data masking features; this functionality is provided by the RDBMS vendor. The Oracle Data Masking pack for Oracle Enterprise Manager provides data masking capabilities. If you are using an MS SQL or DB2 RDBMS, then refer to the vendor documentation for information on data masking products.

Methods of Masking Data

When using a copy of production data for testing or development purposes, you have to mask sensitive data but also ensure that the original data is not changed so much in the masking process that it no longer allows a valid test of the functionality being verified.

The most appropriate method of masking data, without substantially changing it, varies according to the type of the data. The following are some methods that can be used for masking different types of data:

  • Numbers, such as credit card numbers and product numbers. Rotate the numbers in the original data, and add a random value.
  • Dates and times. Add or subtract a fixed amount of time to the original date or time value. Make sure that the result of the operation is still a valid date or time, and that start dates in the original data still occur before end dates in the original data.
  • Names, such as customer names or personal names. Replace characters in names in the original data using a fixed or random substitution scheme. Be careful that the substitution does not increase the length of the resultant name values or buffer overflows can occur.
  • Status values, such as Active or Suspended. Change each of the values to some other value picked from a list of known values. For example, a customer's status can be changed from Active to Suspended, but not to Inactive if the term Inactive is not recognized by the application.
    
Siebel Security Hardening Guide Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices.