Cloud Testing

Challenges

Shilpi Chugh Technical Lead

Aricent

AbstractFew Years ago, the world started thinking about all possible measures to Reduce Cost, Increase Efficiency, Minimize Overheads and on demand features, At the forefront of this, emerged the concept of providing things/Software/Services over the internet and we call it CLOUD Services. There are many Service providers which are currently providing cloud services with the following advantages:

1. Remote management of resources (Servers, Storage, Services etc.)2. Reduced cost of Operation 3. Location Independence4. Availability on Demand

This seems promising and lucrative from the outside but like the 2 sides of a coin there are some challenges which needs to be catered to before we take any decision. Some of the challenges could be:

1. Security: we work with a lot of sensitive data in our day to day operations like passwords/ Network resources level 1 or2 data, Company’s intellectual property etc. etc. and loss of anything of this sort impacts the business big time.

2. Performance: As we all know and believe, something available on local machine always work faster and better but in practical scenarios, we need to have things running remotely and cloud services are always remote and there can be a challenge getting the performance as we get it in local environment.

3. Crashes: In real world scenarios, it is very much possible to have Internet/Network Breakdown either from the ISP OR from the Cloud service provider OR from our local Network.

4. Data Migration & Integration from Existing System: Legacy systems are built over decades of evolution and directly migrating everything to Cloud might not be feasible easily and will possess a lot of challenges.

5. Lack of Standard Procedures: Every Cloud service provider advertise different sort of advantages or benefits which makes it difficult to choose what fits your needs.

This makes Cloud testing even more important. There are several methods or techniques available today for Cloud testing to mitigate risk arising out of the challenges. We can perform both Functional and Non-Functional testing which makes us double sure of the quality of work being delivered.

Let’s discuss further on each of these challenges in detail and how we can test the systems on cloud to reduce the impact of the challenges.

IntroductionIn our day-to-day routines, we commonly hear/read/think about “Everyone is moving to CLOUD”. But what it is? And what we can achieve using it. So, let me try to give you my stand on these questions:

Couple of decades ago, cloud was meant only to give us rain, water from the rains flow through the rivers and oceans and it was/is responsibility of every individual to utilize water optimally. Surprisingly, in this digital era, we have a different cloud which do not give us water that we live on but gives us the computing resources.

Major advantage of cloud computing is:

Scalability & flexibility On Demand Availability QoS OpEx instead of CapEx. (tenancy instead of occupancy)

Cloud computing is a technology by means of which store and access data from remote locations with the use of internet. It comes from the combinations of different types of computing’s that we were using such as

Distributed computing, utility computing, grid computing etc.

Over all these concepts comes cloud computing which clubs the effect of different types of computing’s and shifted the whole concept of storing and working the data from local to remote location, which reduces cost, time effort of the user.

This opens a whole new chapter to make us think about the cons that might arise using cloud computing and we need to test the solutions/services provided on cloud and we know it as “Cloud Testing”.

To test/verify the offerings, we need to make sure of the following aspects:

Security Performance Integration System Crashes Lack of Standard Procedures

These aspects are known challenges in Cloud Testing and once we can verify the offerings against these challenges, we can make the service offering less prone to bugs and minimize the risk of loss. In the coming chapters, we will discuss these challenges in more detail individually.

Cloud Security TestingEvery application in the organization deals with a lot of data and loss of it may impact business of the organization. So, any service (be it infrastructure or application) needs to operate in a secure environment for the organization. This makes security testing for cloud services even more important.

Fig1: Cloud security testing overview [1]

In general Security is the defence for any valuable assets for an individual or an organization. In the similar way security in Cloud testing is defence of assets and information from any malicious threats. Also, it becomes more important when you are using third party for critical data handling. When multiple users will be accessing the same servers, so it’s must to ensure that data remains secure at rest and at transit.

Security implementation can be accomplished in different layers in cloud environment:

Fig2: Cloud security layers’ overview

Physical security

It is related to Infrastructure of Cloud service providers, any breach in physical security tends to a huge loss to all the organizations which are joined in. It is because if we say we have no physical infrastructure and everything is just flying in the sky is not true. We still have the physical servers, CPU’s, connecting cables etc. not in customer’s organization but at Cloud service provider location from where he is providing access to those resources to us.

Secu

rity

Laye

rs

Physical Security

Data Security

Application

Network

Weakness in physical security can lead to an attack on infrastructure which in turn can shut down all the data related services as well. Also in many open researches it comes out that organizations and experts have negligible concern regarding physical attack on infrastructure. So, it becomes very important to secure the infrastructure from natural and human threats.

Following measures can be taken for ensuring Physical security:

Evaluate security controls on physical infrastructure with a physical security Surveillance cameras and an alarm system Restricted access points for employees Sensors for natural disasters Redundancy of data across locations

Data securityData plays an important role in cloud computing, because the whole game is of data only which is placed in different machines and storage devices and on the other side security is a combination of confidentiality, integrity and availability. So, in collective state we have different aspects of data security with major issues as data loss, service disruption, data privacy, data lockdown, security intelligence, issues in data transition, multi tenancy issues etc.

Following figure shows that how data security and privacy are organized in cloud environment.

Fig3: organization of Data security and privacy [2]

Major solution to the above said issues can be minimized by taking following measures:

Data Integrity – Gives high quality accessible data which is stored in cloud privacy environment. Data must not be changed in transit by unauthorized access. To achieve this goal monitoring mechanism must be strong.

For verifying the integrity there is a framework “proof of Retrievability” is available in market to do a spot check of data which is proposed by Kevin D. Bowers.

Data confidentiality -Possess set of rules that limits access of information. Following measures as mentioned in below figure can be taken in order to maintain confidentiality

Fig4: Data confidentiality combination

Data Availability - Itself tells that data which is stored on cloud must be available when required. In case of any damage or network failure the data can be properly recovered. The data storage must be transparent and shared with the respective users. Different measures can be taken for the same such as:

Reliable storage Agreement/Disaster Recovery plan Reliable devices used for backup such as hard drives.

Data privacy: Cloud computing comes with the risk that unauthorized users might access your information. Also, it refers to the right of self -determination- “what is known about them”. To protect against this happening, cloud computing services offer PETs (Privacy Enhancing Tools) which provide encryption, anonymization etc., as well as TETs (Transparency enhancing tools) which provides information about private polices access to their data.

Network Security:

Earlier when organisations worked individually they had a control on their networks but now in cloud architecture data moves to and from organization and cloud which is exposed to internet and configuration modes for virtual networks are “bridged” and “routed”. So, there are high chances of security breach. There are different types of Network attacks such as DNS Attacks, IP Spoofing, Network Sniffing etc.

All data on the network need to be secured. Strong network traffic encryption techniques such as Secure Socket Layer (SSL) and the Transport Layer Security (TLS) can be used to prevent leakage of sensitive information. Several key security elements such as data security, data integrity, authentication and authorization, data confidentiality, web application security, virtualization vulnerability, availability, backup, and data breaches should be carefully considered to keep the cloud up and running continuously.

Next level is to setup a firewall which is going to monitor the incoming and outgoing traffic in our network. Firewall helps us by controlling the access to data. The source IP address is checked against a list of allowed sources for any incoming connection. If the source address is not in this list, the connection is denied. There are no other rules supported, just the list of allowed addresses which can prevent from sniffing and spoofing.

Encryption Distributive storage

Authentication techniques

Data concealment

Data Confidentiality

Application Security [3]

Today the world runs on applications and applications are links between data and the user. There can be many kinds of application level threats such as SQL injection, Backdoor and debug options, hidden field manipulation, cross site scripting, Man in the middle attack etc., So, it becomes important to secure the applications by applying some access controls such as:

Identity based access Role based access Key based access Claim based access

Identity based access: It will ask for user credentials and allows only authenticated users to pass through. Scan for permissions and ownership of important files periodically. Intrusion Detection System is the most prominent method.

Role based access: In applications where different users are supposed to perform different types of work, role based access is provisioned where a specified role is assigned to each user and they will be able to see or perform only tasks meant for their role.

Key based access: It works on the rule of lock and key functionality, that every user is provided a key for access to the application and by using it user can gain access. Depending on the requirement and implemented design, key can be a hardware such as a RSA key or a soft key such as Microsoft Authenticator.

Claim based access: Claims-based authorization is an approach where the authorization decision to grant or deny access is based on arbitrary logic that uses data available in claims to make the decisionFor example, many websites allow you to get access to the contents using yours google credentials or using your social network credentials.

Performance Related Issues and Crashes

As everyone is moving to cloud for their services and applications, multiple users can use or hit the same application at same time, which in turn increases the traffic on internet. Now it is a concern regarding the network bandwidth offered by Cloud services. This may negatively impact execution and delivery of complex application, as Cloud applications continue to be bandwidth intensive.Cloud testing includes the network, database, performance and the available application. Applications on the cloud may have different bandwidths. Lesser bandwidths can badly impact the services being provided across the globe for a specific application. Therefore, following measures can be taken to overcome performance related issues:

Testing can be done with Realistic Load, testing in ideal conditions, which you will never get after deploying on production.Testing can be done with increased stress, testing beyond the boundary value which can make sure application will not crash in worst conditions. Comprehensive Testing, End-to-End testing should be performed to create complete process chain.Testing Elasticity and scalability, to test whether the performance meets the defined SLAs.

Data Migration & Integration from Existing System

It is process of transferring data from one system to another while changing the storage or database. It typically happens during upgrades or transferring to new system. So, while migrating the data the major challenges relate to the type of migration activity we need to perform. These can be classified as: Storage Migration It should be handled in a manner transparent to the application so the application uses only general interfaces to access the data. In most systems, this is not an issue. However, careful attention is necessary for old applications running on proprietary/ legacy systems. In many cases, the source code of the application is not available and the application vendor may not be in market anymore. In such cases storage migration is rather tricky and should be properly tested before releasing the solution into production.

Database Migration Database migration is assuming the database is used just as storage. It "only" requires moving the data from one database to another. The main issues may include:

Unmatched data types Different character sets

Application MigrationMain challenge in migrating the application is, even when it is designed by the same vendor, it can be stored in significantly different formats and structures which make simple data transfer impossible. Only way out comes to be - ETL process, extracting, transmitting and loading the data. The advantage of an ETL tool in this instance is its ready-to-use connectivity to disparate data sources/targets.

Lack of Standard Procedures and PracticesToday more and more businesses are looking for moving to hosted solutions provided by different vendors to cut down on the cost spent having their own IT infrastructure but the problem starts when they start looking out for the solutions offered but since the field is still evolving it becomes difficult to have a comparison between 2 solutions because they all have different standards.New organizations which are thinking to migrate to Cloud are planning for their own standards during and after migration.

Though the industry is not completely standard less, with the passage of time, there are some standard offering are becoming available for example, “Concur” which provides software as a service for travel and expense processing for organization, has a standard format which suits most organizations and can be customized to suit specific needs of an organization. So, to make sure what we choose, we need to make sure what is required for our organization and we need to perform checks to make sure we are getting what we require.

Upgrades and releases

In today’s fast moving world, continuous delivery to an application concept is being followed to serve the customers 24/7. Also in cloud environment data is distributed across multiple nodes and data

centres, which increases the inconsistencies in upgrade. Therefore, frequent upgrades, frequent patches and rolling releases are preferred over standard software version release. Upgrade procedures can be automated or manual. But we face issues with both. But the major challenge in upgrading the existing system is that it causes unavailability, sometimes data loss and introduction of new bugs into the system. There can be n number of reasons for that such as insufficient memory, unplanned downtime, breakage in code, performance degradation, etc . [4]

Roll back mechanism -The most important measure which should be taken before planning any release or upgrade is that one should have a roll back mechanism ready in case of any failure during upgrade of latest release to provide availability to system and applications.Check compatibility – Be doubly sure about the software compatibility version before upgrade.

ConclusionCloud Testing is a vast topic in cloud computing. And day by day more features are being added to this so, more research work must be done to address all the challenges which we face. Major contribution of this paper is to provide good testing practices as Data must be encrypted before transiting, use of secure connection is mandate when connecting to the cloud for transition of data. In the end testing architecture must be matured so that more challenges can be explored.

References & Appendix[1]: http://www.cigniti.com/cloud-application-security-testing/

[2]: International Journal of Distributed Sensor Networks http://journals.sagepub.com/doi/full/10.1155/2014/190903

[3]: Ankur Pandey et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (6), 2012,5369-5373

[4] Cloud Software Upgrades: Challenges and Opportunities, Iulian Neamtiu, Department of Computer Science and EngineeringUniversity of California, Riverside

[5] Cloud Testing- Issues, Challenges, Needs and Practice, an Jose State University, USA, Tsinghua University, China, and Arizona State University, USA

[6] Laurin H. Mills (2009), “Legal Issues Associated with Cloud Computing”

Author BiographyShilpi Chugh is a 6+ years experienced professional in Testing with exposure to multiple domains namely Telecom hardware testing, Software Manual Testing, Automation testing using Pearl scripts, Selenium and other tools for hardware testing related to stock market.

Shilpi completed her masters in Computer applications from Mullana in 2010 and has been providing her services in testing since then.

She had been recognized for her exceptional performance and detailed eye in her work multiple times from her seniors, Customers and other stakeholders.

Prior to joining the corporate world, she had been associated with various educational institutes providing lectureship and tuitions.

Born in Hisar, Shilpi has an unmatched curiosity about learning new trends and technologies in her domain and spends most of her time reading over internet.

She has always been in the front row for any activity involving creativity and has won various awards and accolades in art & craft for making paintings and crafting decoration items for households out of scrap

THANK YOU!