Compuware’s Neil Richards on Mainframe testing, using real-life data and risks associated with it

ITProPortal sat down with Neil Richards, director of Mainframe Solutions at Compuware, to discuss about a recent survey carried out by the company over the management of customer data within enterprises when developing mainframe applications.

In what ways do companies use customer data when it comes to mainframe application development, testing and maintenance?

Companies often turn to outsourcers for mainframe application development because they lack the in- house knowledge necessary for developing and testing complex applications. One of the key ways companies use their customers’ data is when testing applications during the Quality Assurance cycle to make sure those applications work in a real world environment. Compuware’s global research into mainframe outsourcing found that 20 per cent of companies that hand over sensitive customer data to outsourcers do not mask the data, while 30 per cent do not provide their outsourcer with any customer data at all.

Why is it important that the testing environment uses customer data in the first place?

Because the mainframe is central to the functioning of many businesses, any application downtime or disruptions can be disastrous. If applications are to be tested thoroughly, particularly in the complex world of the mainframe, test data conditions should reflect live data conditions as closely as possible or the application may not perform well in production. Yet many companies are not using current customer data for fear of putting data at risk. Our research found that 30 per cent of companies do not provide customer data at all to their outsourcers’ for application testing.

Can data not be synthesized?

To avoid the issues around protection of customer data, some companies do create synthesized data for application testing; but this method can be very expensive and time-consuming. It also means that the data does not fully reflect the live production conditions, which can impact on the thoroughness of the testing and the eventual application.

What are the arguments for and against masking of customer data in the testing cycle?

While masking data is necessary to protect sensitive customer data, Compuware’s research found that 82 per cent of companies that do mask their customer data before providing it to outsourcers describe the process as being difficult. Further, 56 per cent of those that mask claim that masking data negatively impacts the quality of their testing and QA processes. Alarmingly, 20 per cent of companies do not mask data at all for fear of impacting testing quality, increasing the chances of customer data being maliciously misused.

What are the potential dangers or issues with the use of unprotected customer data?

Providing third parties with unprotected customer data not only increases the potential for data to be misused or stolen, but can also put companies in danger of violating data protection regulations. Either could seriously impact revenues and reputation should a breach occur. Over two fifths (43 per cent) of our research respondents that share customer data say they are not well-briefed on data protection laws and regulations.

How does the decision to mask or not mask customer data impact on the eventual quality of outsourced application development?

Companies appear to be trapped between a rock and a hard place. Without the proper tools, disguising data is difficult; similarly, using a full production copy results in higher than necessary resource consumption and increases the privacy risk. Both methods impact quality, because they do not use up-to-date and accurate production data. Yet providing third parties with live customer data is equally unappealing, because companies have to rely on insecure NDAs, creating a risk of a data breach.

How are companies currently protecting themselves against the risks of using non-masked customer data in testing?

To avoid issues relating to data privacy, a number of organisations mask customer data, select too little data, or create their own test data, but these are difficult processes. These practices are impacting the quality of outsourced application development, as systems can’t be thoroughly tested unless test data reflects current production data as closely as possible.

Do companies understand the implications around customer privacy and legislation which govern the use of customer data?

Most countries have strict data protection laws governing the use and sharing of customer data with third parties, but many companies appear unsure about the regulations in place and how they are affected by them. Our recent research found that 43 per cent of respondents that share customer data do not understand data protection laws and regulations that apply to their region and that 87 per cent of organisations that do not mask customer data before passing it to a third party rely on Non-Disclosure Agreements (NDAs) to protect their customer’s data.

What are the alternatives for companies wishing to test their mainframe applications and how can they avoid the risks associated with the use of customer data during testing?

What many don’t understand is that there are test data optimization methods that allows companies as well as outsourcers to more easily create test data that can be processed efficiently while guarding against costly data breaches. Test data optimization protects sensitive data by masking, translating, generating, aging, analysing and validating test data; while also ensuring all mainframe test conditions are met.

Neil Richards is the Director of Mainframe Solutions at Compuware