I work on a web application that manages information about transmission setups a
ID: 657095 • Letter: I
Question
I work on a web application that manages information about transmission setups and processes client transmission statistics to generate billing charges for the services used by these clients.
The team that supports these clients is able to view setup information, including account information and user access controls meet requirements for their production usage of this information.
For testing, data is moved to testing/development environments where the account numbers need to be 'sanitized' or 'transformed' in the best way to avoid the testing/development environments from exposing these account numbers.
I have done work with encrypting data and hashing data and I am looking for suggestions/comments about what are best practices for the 'sanitization/transformation' of these account numbers.
What's the best way to transform sensitive account numbers?
Explanation / Answer
In addition to the technique Enos mentions, another common technique is to use hashes. For many testing requirements hashes will be sufficient. Couple of gotchas, though:
- If the space isn't big enough, collisions could cause problems
- If you have logic that does something like matching account types by the first 4 digits being 0123, then hashing will fail on this type of logic