Data masking in Salesforce
Getting GDPR compliant: mask data in a Salesforce environment
In software development we’re always on the clock. We need to release quickly – on time and on demand. In order to do that, we’re looking at automating that as much as possible. Salesforce typically has a production environment and helps us putting together sandboxes for development (that can be quite a number of sandboxes). Any of those sandboxes needs to be secure and compliant just like the prod environment, but how do you do that?
Protect customer data in Salesforce with data masking
As an organization you want to take care of your customers and their data. They trusted you with it so you need to ask yourself: “What do I need to do to protect my customer’s data?” How do you make sure that your Salesforce data sandboxes are anonymized so they can be used for testing and development purposes? There are some things to keep in mind, because altering the data for your sandboxes will impact the people that are working with those sandboxes (analysing, testing and developing).
Most organizations make several copies of production for the lower environments like development, test and acceptance. Next, security demands that the sensitive data in these copies are anonymized or masked. But this impacts the people working with (and having access to) these environments since you’re altering or replacing the data while they are developing and testing with the original data. There’s a solution for this.
With the use of a dedicated environment you can replicate your Salesforce data at any given point in time and mask or anonymize this – what we call it – “Test Data Master”. Next you can focus on (automated and/or on-demand) data provisioning from this masked source in many ways.
Salesforce data mask challenge
Within Salesforce users or teams can design sandboxes for specific environments, such as development and testing environments. These sandboxes need data. So how do we get data from production into these sandboxes? A controversial yet regularly used method is the process of making an exact copy of prod into a sandbox: copying everything from production, both functional and technical. Actually you’re creating a second production environment. But this is not something you should want. You don’t want your developers to see all these customer details; you want (and need!) to protect that data.
Together with our partner Valori we’ve created a solution to protect the customer data in development and testing activities. Valori is our training and implementation partner for several years now. Their focus over the last 30 years is on testing and quality and making sure that software delivered is of the expected value. Test Data Management is one of the pillars with which they help customers achieving this. Using a combination of DATPROF Runtime and DATPROF Privacy they created a package that is able to read all the information in the Salesforce environment (that can either be production or a full copy of production for example) and create a one-on-one copy inside a separate environment, a ‘DATPROF environment’. This environment is still to be handled as if it was production data. The result of this copy is a ‘normal’ relational database that we can alter with DATPROF Privacy scripts to anonymize the data. Once it’s anonymized, we can send it back to the Salesforce environment. Then we have an anonymized functional and technical intact copy of production which can be used for development and testing activities: the customer data is protected.
But what if you have several teams and you want to create several sandboxes or you need to maintain multiple environments? Many organizations still use the DTAP approach, having their development, testing and acceptance environments connected, but with Salesforce you can only create one full copy of production according the default settings in Salesforce. So how do we get the data to the other ones?
Thanks to the intelligence it’s not only possible to just send back the anonymized data to the original source, it’s also possible to send it to another sandbox. So imagine that you’ve taken all the information from the production environment, you’ve created this anonymized data set and you have three environments to provision… You just create three pipelines within DATPROF Runtime, making sure that all three sandbox environments are being provisioned with this new dataset. This way each developer or tester can have his or her own isolated environment without breaking a chain of environments or influencing other tests or being influenced by other people. This is highly beneficial for the development, testing and entire working speed.
Thanks to the joint efforts of DATPROF and Valori we were able to create this solution for Salesforce. During the first implementation by Valori on site at the customer the challenge became broader than just the anonymization and subsetting of data within Salesforce. A major aspect for the success of the implementation was the functional integrity of the data between the Salesforce application and other applications within the chain. Specific processes, which needed to be tested from an end-to-end perspective, were dependent on Salesforce and another system. Therefore the need arose for functional integrity of data. The solution was altered by Valori in order to be chained and anonymize and subset data for both systems at the very same time.
With the solution outlined above and shown in the demo video we’re able to reuse data from the Salesforce production environment and anonymize it. It doesn’t matter if you need one or twenty sandboxes – it can all be done. You can also connect your data from Salesforce with for instance SAP, the Pega Platform or some stand-alone platform or applications that you’ve created yourself. You can sync the same data among these systems. Data masking in Salesforce was never this easy!
Want to know more?
We’re just an email away!