Systems | Development | Analytics | API | Testing

Deterministic masking is essential for any businesses that need to secure application data across multiple non-production environments — since it ensures data is masked consistently everywhere it appears. As CTO of Perforce Delphix, I’ve worked with many companies who need to protect sensitive data while providing realistic data for testing and development. This is especially important in industries like insurance, healthcare, and financial services.

Test data compliance efforts are falling behind development speed, creating a dangerous gap exploited by bad actors and scrutinized by regulators. It's a wake-up call: Dev and test environments are under stricter regulatory scrutiny than ever. In my role as Senior Product Manager for Delphix, I regularly work with enterprise teams who are discovering this reality the hard way.

To use synthetic test data or to use test data masking — that is the question. But the answer may not be what you expect. Before we dive into that, what’s happening in today’s business landscape that’s prompting the question around synthetic vs. masking? Delivering high-quality applications at lightning speed is expected in today’s CI/CD world. Fast time-to-market is at odds with security and compliance requirements.

Yes, you’ve heard it all before: the frequency of cyberattacks and their devastating aftermath, organizations’ gaps in protecting sensitive data, and the financial consequences of not complying with GDPR and the likes. I am not here to share any old news. But there is a risk that is not discussed frequently enough in the news. And it should be. How often do you suppose data in non-production environments is compromised or fails compliance audits?

Ephemeral test environments have surfaced as a solution to DevOps teams’ growing challenges. Dealing with spiraling cloud costs and infrastructure maintenance is only getting more complex. Development teams find themselves competing for limited or stale environments while datasets grow larger. As a result, development velocity suffers. Application teams need realistic data for effective testing.

Since the release of the Defense Innovation Board (DIB)'s Software Acquisition and Practices (SWAP) report in 2019, the Department of Defense (DoD) has focused on adopting and recommending DevSecOps best practices for aerospace and defense development and software acquisition, as detailed in the DoD's 2024 State of DevSecOps report.

Many organizations turn to database subsetting for various reasons. For one, cloning entire terabyte datasets could bankrupt your cloud budget. And masked data could leave your teams fumbling with unrealistic test scenarios. Why wouldn't you just grab the data you need? Sometimes, it really is that straightforward. For certain use cases — like lightweight testing scenarios, proof-of-concepts, or applications with simple data structures — subsetting delivers exactly what it promises.