Sandboxes and not the one filled with sand

Sandboxes are technological solutions your teams can experiment with which will not affect live operations.  How as a manager can you use them?

How do you work with your suppliers to see what will happen?

This article puts forward some of the pros and cons of sandboxes and provides a quick sense check for you to review your sandbox.

  • Sense checking
  • Security
  • Options
  • Wrap Up

[read more=”Read more” less=”Read less”]

Sense checking

Managing change

Change is inevitable and sandboxes provide you a safety mechanism for managing that change.

What is your most important system in your business to your role.

  • If you are attempting to improve any process there is change.
  • Security standards constantly push the boundaries of how things work.
  • Planned obsolescence force solutions to fade away with time
  • Getting new reports or trying to analyse data means certain levels of experimentation

So even if you’d happily leave something “just working” your hand may be forced.

How can you reduce the risk of that change.



A trite example can help.  You have a favourite pen which was a gift.

  • How long will it last?
  • If I try open my letters with it, will that damage it?
  • Does it work in the cold?

You may end up with a host of questions about the effectiveness and durability of the pen.

You can quite happily just live with your pen, until it fails… it’s a pen!  Yet if that pen is the one you have to sign that contract with… you’ll really want it available.

At the very least, having the comfort of a back up, gives you somewhere to go if everything goes wrong.

Sandboxes are just that.  They provide somewhere to go if you want to test a theory and at the very least somewhere to go if everything goes to pot.



Now if you buy a car, it’s very unlikely the manufacturer is going to give you a spare car to test your ideas out with.

Yet, if you go to the garage and ask if they can facilitate your query, they may be able to arrange something.  They will charge for it, but you have options.

Like insurance, you pay a premium, but that premium reduces your risk.

With that spare car there, you can test your ideas without risking your primary solution.  So it’s in the suppliers interest to facilitate your ideas.

Ideas and new approaches also serve the supplier for research and development ideas as well generating extra revenue which could be lost otherwise.



Whether cars or software there are versions of the solutions.  Just as your business changes, so does your suppliers.

Version, concepts and revisions will all see the same general approach but with differences.  Those difference are what pose a risk to your operation.

  • So what can a new version do to your data, your screens, your business?
  • Do you really need it?
  • Is it worth the risk?

Instead of resisting change at every change which is going to be a contentions life for you and for your supplier, accepting change and planning for it is key.

Rather than “accepting what is, will be”, give your business a chance.

A robust timely approach to change management makes you, your business, your customers and your suppliers all more comfortable.  Why must you manage versions?

The reason is, that your business is best protected by you, as it is your interests that will be best served by you.



So what do I need to do?

For anything that is a major risk to your business or that would seriously impact your business, find out who supplied or maintains the solution.

Approach them and ask them for a sandbox.

  • If you built it inhouse, it should be no problem to copy it for yourself
  • Yet if your supplier provides it and the supplier is genuinely interested in keeping your business, they will work to facilitate your needs

Also if whoever supplies says “no”, your business has a significant risk.  Consequently it would be worth examining alternative options as you are effectively tied to that supplier.

Think about how you feel when “updates” are forced upon you, with no option to test / see them beforehand.  What happens if that’s your entire business?


Live Data

Comparing apples with apples is difficult.  A new version comes out.  You’ve implemented one or more sandboxes.  Let’s see the new features.

To truly appreciate the difference you need business data.  It’s great the solution has a new version of the report but with no data it’s not going to be a like for like test.

As a result the ability to copy easily an instance of your live data into your sandbox for testing is a significant consideration.

There are two challenges to doing this from a suppliers position:

  1. Having a mechanism to easily facilitate live data into your sandbox.
  2. Also your supplier will need to ensure a similar level of security in your sandbox as per your live environment
  3. How to clean up after your done testing

This ability is possible but your supplier is going to have to design their service and processes to facilitate these requests.

Again, if your supplier can’t facilitate you, there should be a consideration to examine other options.

It is also worth considering building into the process a method of randomising / redacting PII information so GDPR and other data security considerations are complied with.


Communications and integration

The last part of sandboxes is how they connect with other systems and how they potentially communicate outside the business to customers.

If a process emails or text messages customer as part of the process.  If API calls post to social media or transfer money to bank accounts.

Being able to provide dummy end points and “mimic communications” is a difficult part of establishing your sandbox.

The last thing you want is a customer getting test emails as you experiment with your new fonts and logo.

Again your supplier should be able to help you plan around this and provide dummy end points for external communication and interconnects.


Risk Management

If your business follows a security standard such as ISO 27001, service availability should be a line entry in your risk register.  What does yours say?

Sandboxes provide mitigation to the risk of “update / change management”.

Developing solutions to mitigate risk does generate paperwork, processes and add overhead to the business so being able to cost the solution provides the only way to justify your solution.

The two questions are :

  • What is the cost to set up the sandbox?
  • Compared with, what is the cost if something did go wrong?

The cost sense check will dictate if sandboxes are worth implementing.


Wrap Up

To summarise as a series of sense check options for your IT department and to get answers for tools that affect your area of operation.

  1. Firstly what are your key tools are services?
  2. Also how often do they update / change?
  3. Furthermore if they update / change what lead time of notification do you get?
  4. Next, what opportunity to you have to test the change before it goes live?
  5. Can you confirm your critical systems list in your risk register?
  6. Is there planned obsolescence on any of these services?
  7. Can the supplier facilitate a sandbox?
  8. Have you got a sandbox process in place to managed the change?
  9. Is there a live data / redacted data capability to mimic live business operations?
  10. Furthermore as you consider the security of a sandbox is it comparable to the live environment?
  11. Also when was the last time you tested your sandbox?
  12. Can you confirm that in any sandboxes you have there is no live client data lying around?

As a manager it is prudent for you to ask these questions of the tools you use for area.

If you wake up one morning, your supplier updated overnight and now you’re dealing with it “not working” is a very challenging day / week / month in the office.

Ask the questions today.


If there’s anything in this article you’d like to chat to me about you can contact me here or on social media.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.