Data Security

When using a Test Data Management (TDM) tool, be aware that it may have broad access to productive/live data. It may also access test environments, databases, file systems, interfaces, scripts, jobs, and automation workflows.

This access can create significant security and data protection risks. A TDM solution may allow more users to access, view, copy, transform, export, or process sensitive data, which can include confidential or personal information that was originally intended only for production environments.

If access is not properly controlled, data may be exposed or misused. This can lead to unauthorized access, data leakage, or non-compliance with data protection regulations such as GDPR.

TDM tools may also provide functions to execute code, scripts, database statements, transformation logic, or integration jobs. These functions require special protection. If they are not sufficiently restricted, they could be abused to run malicious code. They could also be used to modify data, extract information, or compromise connected systems.

Users and administrators must understand these risks. They should implement appropriate technical and organizational security measures. These measures should include strict access control, role-based authorization, and the least-privilege principle. They should also include secure authentication, logging, monitoring, and approval processes for critical operations.

Credentials must be handled securely. Scripts, jobs, and other executable components should be checked before they are run. Permissions and configurations should be reviewed regularly.

Productive data should only be used in testing when it is strictly necessary. Where possible, data should be minimized, anonymized, masked, or pseudonymized. Sensitive data should be protected before it is used in non-production environments.

Access to sensitive data must be limited to authorized personnel. The same applies to functions that can execute code or change systems.

Careful handling of productive data, system access, and executable components is essential. It helps prevent data breaches, unauthorized access, execution of malicious code, and compromise of connected systems. It also helps protect the privacy and security of all affected data subjects and systems.

Recommendations

The following checklist is intended to help users configure the XDM installation as securely as possible as part of the Technical and Organizational Measures (TOM) for data protection.

  1. Credential Encryption: XDM needs to store credentials for connecting to source and target database systems. These passwords are kept in XDM’s internal database. We strongly recommend enabling password encryption for all credentials stored in XDM. See Password Encryption for more information.

  2. Secure Communication (SSL/TLS) Enforce SSL/TLS encryption for all communications between end-user browsers and the XDM web UI to protect data in transit from unauthorized access. See Setup SSL encryption.

  3. Restriction of Admin Privileges The ADMIN role in XDM’s permission management system allows members to access all objects within XDM. Grant the admin privilege only rarely and exclusively to highly trusted users.

  4. Restriction of Admin Database User Permissions It is recommended to create a dedicated database user to perform XDM tasks. This user should have only the minimum required permissions to perform its tasks.

    If possible, separate responsibilities by using different users for read-only and write operations.

    With the following steps, a xdm-admin user can be created:

    1. Create the user with a secure password:

      CREATE USER my_xdm_admin WITH PASSWORD 'my_xdm_admin_password';
    2. Grant the user the ability to connect to the database

      GRANT CONNECT ON DATABASE my_database TO my_xdm_admin;
    3. Now the user can be granted any amount of privileges, i.a. SELECT, INSERT, ALTER, …​.

      All Privileges:

      GRANT ALL PRIVILEGES ON TABLE my_table TO my_xdm_admin;

      OR Table based privileges:

      GRANT SELECT, INSERT, UPDATE ON TABLE my_table TO my_xdm_admin;

      OR Column based privileges:

      GRANT SELECT (my_row_1, my_row_2) ON my_table TO my_xdm_admin
    4. Privileges can also be removed from a user.

      All Privileges:

      REVOKE ALL PRIVILEGES ON my_table FROM my_xdm_admin;

      OR Table based privileges:

      REVOKE SELECT, INSERT ON my_table FROM my_xdm_admin;

      OR Column based privileges:

      REVOKE SELECT (my_row_1, my_row_2) ON my_table FROM my_xdm_admin;
  5. Minimization of Browse and Script Permissions Minimize the assignment of the BROWSE and SCRIPT permission on connections. This permission allows users to view the contents of source or target tables, which may expose sensitive production data. The SCRIPT permissions allows access to the password of a credential by a script.

  6. Restriction of Diagnose Permissions The DIAGNOSE permission for task executions allows users to view detailed information such as logs and technical internal details. Since log files may contain sensitive information (e.g., connection strings, credentials), grant this permission only to users who require it for troubleshooting purposes.

  7. Principle of Least Privilege for Database Access XDM uses a single user account to access connected database management systems. This account should only have the minimum privileges required to perform its tasks. Assign only those permissions as specified in the official documentation.

  8. Multi-Factor Authentication (MFA) XDM supports various authentication providers, such as LDAP or OAuth. Consider using an authentication provider that supports Multi-Factor Authentication (MFA) to enhance security and prevent unauthorized access.

  9. Regular Permission Reviews Regularly review and update user permissions to ensure that only authorized users have access to sensitive data.

  10. User Awareness and Training Provide regular training sessions and clear guidelines for all users on the secure handling of test data and the proper use of XDM functionalities.

  11. Secure Handling of Session Logging: XDM persists logged-in user sessions in its administration database. Regularly delete expired or invalid session records, and avoid storing sensitive authentication data unless absolutely necessary.

  12. Regular Data Cleanup Implement a regular cleanup process for test data to ensure that sensitive information is not retained longer than necessary. For example, this may include sensitive production data copied into a test environment or sensitive data stored as part of an IceBox generation.

  13. Keep JDBC Drivers Updated Ensure that the JDBC drivers used for database connections are kept up to date in order to benefit from the latest security patches and functional improvements.

  14. Use rootless mode for Docker containers Use rootless mode in your Docker or Kubernetes environment to enhance security by reducing the risk of privilege escalation attacks. For more information, how to configure this, see Rootless Container Configuration