05/07/12 11:15 AM Cloud Testing To ensure a successful cloud computing strategy, you must be able to: Manage performance and availability across the entire cloud service delivery chain Monitor cloud application performance from the end-user perspective Test your cloud applications prior to deployment Monitor your cloud applications after they go into production The performance and availability of cloud applications can have a dramatic impact on user adoption and revenue. Monitoring and testing the performance of those applications requires uninterrupted visibility across the entire application delivery chain i.e. from your data center, through the Internet and cloud service providers to your end user’s own device and browser Note: Traditional data center monitoring tools simply won’t work in the cloud. You need to monitor and test your cloud applications from the only perspective that really matters: your end users. Cloud Testing has four major objectives:
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
05/07/12 11:15 AM
Cloud TestingTo ensure a successful cloud computing strategy, you must be able to:
Manage performance and availability across the entire cloud service delivery chain
Monitor cloud application performance from the end-user perspective
Test your cloud applications prior to deployment
Monitor your cloud applications after they go into production
The performance and availability of cloud applications can have a dramatic impact on user adoption and
revenue. Monitoring and testing the performance of those applications requires uninterrupted visibility
across the entire application delivery chain i.e. from your data center, through the Internet and cloud
service providers to your end user’s own device and browser
Note: Traditional data center monitoring tools simply won’t work in the cloud. You need to monitor and
test your cloud applications from the only perspective that really matters: your end users.
Cloud Testing has four major objectives:
To assure the quality of cloud-based applications deployed in a cloud, including their functional
services, business processes, and system performance as well as scalability based on a set of
application-based system requirements in a cloud
To validate software as a service (SaaS) in a cloud environment, including software performance,
scalability, security and measurement based on certain economic scales and pre-defined SLAs.
To check the provided automatic cloud-based functional services, for example auto-provisioned
functions
To test cloud compatibility and inter-operation capability between SaaS and applications in a
cloud infrastructure, for example, checking the APIs of SaaS and their cloud connectivity to others
i.e. another SaaS with in the same/different cloud or end user interface .
Below Table shows the detailed tasks and comparative view among different parties:
For any application we make sure that the functionality works as expected. This is the standard functional
testing to validate if the app is doing what it is supposed to do.
Conduct rigorous Manual tests as per defined test plans, keeping the end user in mind
Conduct Exploratory tests based on existing or new test cases
Conduct Browser compatibility testing to check performance of the application on different web
browsers
Conduct Regression testing on every release, minor upgrade, an integration or data migration.
Automate Functional and Regression tests
Conduct tests in target environment – whether it is your data center or the Cloud.
Conduct reliability testing to find the total defects of the application and thus reduce the number of
failures, during real time deployment.
Multi-platform support/Compatibility Testing:We can use combination different browsers versions and operating systems to perform cross-platform testing.
We have to use browsers and operating systems majorly used by the end users to find issues that end user
may encounter with his/her browser/operating system combinations.
Load over different clouds:Application / system stability is a major factor as the user count is expected to be in multiples of hundreds.
SaaS based application needs to handle large amounts of users and we don’t have the luxury of re-booting or
going down once in a while. Conduct load testing under normal as well as peak load conditions in multiple
environments i.e. to determine the limits
Stress over different clouds:Due to the cloud characteristics, it is imperative to identify issues as system is tested to breaking points
maximum expected capacity or often beyond to 2x, 3x,nx expected usage. Pushing systems to maximum load
capacity and beyond i.e. Exceed Break points
Capacity Testing:Being hosted in a cloud environment it is prudent to determine maximum capacity for current or future
hardware, bandwidth or other needs or to validate that installed hardware and network will support expected
usage scenarios i.e. Plan for the Future
Conduct scalability tests to determine the capacity of the application to scale up or down as per
requirements
Availability Testing:Conduct availability testing for a planned period of time and 24/7
Volume Testing:Conduct volume testing for your data
Performance/Latency over different clouds:Measure response times and isolate issues related to specific steps or actions while system is subjected
to increasing load from different locations and multi user operations. Measuring response time variance
over load and time
Reliability/Soak Testing: Measuring performance degradation over longer periods at varying load levels i.e. Reliability over
time
Remote Access and Usage:We make sure that all users regardless if they come from the US, Holland, India, Argentina, or
Australia can work with the system with good response times.There are many emulators that can help
test this in your lab
Failover Testing/Disaster recovery & rollback procedures:Another testing task coming to us from the IT side of the house. Here we run 2 main scenarios:
o System down that needs to be brought up quickly (with the same machines or with new ones
that require installation and configuration)
o Rollbacks to the last known stable version, including data.
o Verify Redundancy
Application/Infrastructure security testing:The goal of this is to test the underlying infrastructure and security of the app:
Test the security of the SaaS application for typical web application security issues such as HTTP
header injection, Cross Site scripting (XSS), SQL Injection etc.
Test security of the network where SaaS application is being deployed
Test possible scenarios of security attacks/threats
Test the application with respect to access privileges with the corresponding job roles (especially in a
multi-tenant environment)
Test the security, integrity & accessibility of test data (especially in a multi-tenant environment )
Determine situations that could make the SaaS application vulnerable
Test compliance with Payment Card Industry Data Security Standard (PCI Compliance)
Maintain logs of security warnings, errors and requests from unreliable sources
IDS management; systems software hardening; security audit / vulnerability scanning and notification.
Vulnerability AssessmentsWhat are your weaknesses? Our vulnerability scans are based on
a variety of compliance regulations such as:
Payment Card Industry (PCI) Data Security Standard
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley (SOX)
Gramm-Leach-Bliley Act (GLBA)
Federal Information Security Management Act (FISMA)
Statement on Auditing Standards Number 70 (SAS70)
Managed Firewalls: Test with different types of firewall devices such as From Cisco to Checkpoint to Sonic
wall and implement the best practices
Patch Management: Each customer environment is different and we stay aware of how change will affect
it. We work with end users to establish a patching strategy that meets end user needs. Every patch is
analyzed. A risk assessment is made to be sure that your environment is not only safer by applying the patch
but won't be adversely affected.
Intrusion Detection Systems (IDS): We use both Network Intrusion Detection Systems (NIDS) and Host-
based Intrusion Detection Systems (HIDS) to ensure that the “bad guys” stay out. With systems powered by
Cisco, Checkpoint and OSSEC we perform log analysis, file integrity checking, policy monitoring, root kit
detection, real-time alerting and active response.
Security Policies:We know that security is a top priority. Whether it's user admin or system builds, our
documented procedures are built on years of experience and industry best practices for security and
compliance.
Incident Response:If you're learning the hard way at your own or a third-party location and experience an
attack, the vendor team can leap into action to control and repair the damage. We understand how to contain
the breach, develop an action plan to systematically verify integrity of your network and all your devices, then
recommend and help implement solutions to protect from future attacks.
GRC (Governance Risk Compliance) testing: Devise a unique comprehensive testing strategy for
compliance with standards like PCI and government regulations
Scalability over different clouds: This assures the quality of cloud elasticity to support SaaS and
cloud services inside a cloud.
Operational Testing:This area is intended for the operations team whose objective is to make sure the apps are working fine, and
take care of customer service & billing. Usually, there are tools that are built as part of the product which help
the operational team members to monitor, track and analyze for issues. The areas to look for:
Application, Services, App Server, Platforms (OS), Databases and Data Center Level
Logs/Alerts/Warnings/Errors for functionality and performance.
Billing and Customer Support Tools, especially for integration
Integration and API Testing:Success of SaaS apps lie in how well you have thought of scenarios where third party developers can build
their own apps using your APIs, and add value to your product. So testing all the APIs for functionality,
security, usability, performance and completeness of documentation is critical to make them successful:
SaaS based application interactions and cloud connections with different client interfaces, database
servers
SaaS based integration in a Cloud
SaaS integration between Clouds
Application oriented end to end integration over clouds
Enterprise oriented application integration between Saas/Cloud and with Legacy systems
Usability over different clouds: Test the Responsiveness, efficiency, Performance and
Personalizable
Cloud based Unit testing: Unit testing on different clouds
Cloud-based application integration: Application integration testing on different clouds
End-to-end system function testing: System testing on different Clouds
Cloud based System Integration testing: SaaS usually provide certain service APIs and
connectivity interfaces to their customers, it is required task for engineers to validate these APIs and
connectivity in a cloud environment.
Saas based application interactions and cloud connections with different API interfaces and
connectivity protocols(HTTPS, REST, SOAP and RMI).
Live updates and deployments: Here is something we think about in regular applications:
How do you deploy the system while it is still running, and if needed how do you minimize down-time for
the users? This is something that is developed and handled by our IT department, but since the delivery
and update of the product is part of the overall user experience we test it constantly.
Internationalization/I18N: Since our platform is used by people around the world we make sure
that we support the use International Characters.
Use Case Scenarios: Ethernet Fabric by validating QoS of high density 10/40/100Gb Ethernet top of rack, end of row
and WAN optimization switches
Storage Networks by ensuring QoS of Fibre Channel and Fiber Channel over Ethernet storage
networking devices and storage systems
Application Networking by testing QoS of Firewalls, IPS, WAN accelerators, Proxy Servers, SSL
VPNs, etc
Cloud Virtualization by benchmarking QoS of virtual switching and virtual appliances from blade
servers to any point in the Ethernet and Storage fabric
Exchange documents, such as purchase orders, with any business partner over the Web with
B2B integration technologies, while eliminating the costs of proprietary EDI solutions.
Automate any mission-critical process such as Order-to-Cash, giving you more visibility into your
business, whether you represent marketing, sales, IT or support.
Interoperability Between Local and Global ADC Functions:Cloud balancing is based on making routing decisions based on a combination of local and global variables.
This requires interoperability between local and global ADC functions. Standards-based APIs may eventually
emerge that will facilitate the cross-vendor exchange of cloud balancing variables. In the mean time, in those
situations in which multiple ADC vendors are involved, IT organizations will need to take advantage of the
APIs supported by each vendor in order to achieve an integrated set of variables to use to make routing
decisions. Another option that IT organizations have is to adopt a single vendor strategy for both local and
global ADC functions. The feasibility of implementing a single vendor strategy across the enterprise and one
or more IaaS providers is enhanced if the ADC is available in a virtual appliance form factor.
Focuses on different client interfaces and connecting to legacy systems
Synchronizing Data between Cloud Sites:In order for an application to be executed at the data center that is selected by the cloud balancing
system, the target server instance must have access to the relevant data. In some cases, the data can be
accessed from a single central repository. In other cases, the data needs to co-located with the
application. The co-location of data can be achieved by migrating the data to the appropriate data center,
a task that typically requires highly effective optimization techniques. In addition, if the data is replicated
for simultaneous use at multiple cloud locations, the data needs to be synchronized via active-active
storage replication, which is highly sensitive to WAN latency.
Challenges:Most organizations report impediments to SaaS testing like – short notice periods for QA notification, frequent
testing of live upgrades, short validation cycle times, impact on multiple subscriber organizations, privacy
violations, errors due to rapid addition of new features, time taken for data migration, concerns over data
security & integrity etc. cloud the obvious benefits of SaaS testing.
1. Handling Changes through Frequent Releases: Every time the Application is upgraded,
the users have to understand the impact of the change, validate it against the existing system &
ensure that the impact on the existing features of the application is minimal. Managing and executing
all these activities within a short time span (1-2 weeks) is challenging. When SaaS upgrades involve
interface upgrading, compatibility and integration issues across old and new interfaces crop up for the
subscribers. Live upgrades being simulated or tested on the SaaS application impedes the activity of
the existing users.
2. Security Testing: Maintaining data security, accessibility & integrity on a single SaaS application
across multiple tenants. To understand individual privacy requirements, privilege levels, behavioral
patterns and provide adequate privacy to the data can be a daunting task. Cloud computing security
challenges fall into three broad categories:
Data Protection: Securing your data both at rest and in transit
User Authentication: Limiting access to data and monitoring who accesses the data
Disaster and Data Breach Contingency Planning
3. Integration Challenges: When subscribers integrate their internal enterprise applications with
SaaS, inbound and outbound data integration validations from client networks to the SaaS providers
is needed. In such cases it is very difficult to conduct thorough validation simultaneously ensuring
100% data security and privacy
4. Data Migration Issues: Data migration across different SaaS applications or from other
applications to SaaS can be challenging in terms of time taken for understanding the requirements
and the exhaustive integration validation processes
5. Licensing: The SaaS app licensing may vary by functionality, usage (such as volume of
transactions or amount of specific data) or # of named/concurrent users. All this needs to be tested
across every release.
6. Performance testing: Successfully modeling the most-used business transactions, application
usage and user mix may require greater diligence than an on-premise application.
Risks: Accountability and Data Risk
User Identity Federation
Regularity Compliance
Business continuity and Resiliency
User Privacy & Secondary Usage of Data
Service & Data Integration
Multi-tenancy & Physical Security
Incidence Analysis & Forensics
Infrastructure Security
Non-production Environment Exposure
1. Accountability: In traditional data center, the owning organization(End user) is accountable for
security at all layers i.e. Application/ Database/Computing/Network/Storage layers. You can outsource
hosted services but you cannot outsource accountability.
In a cloud, who is accountable for security at these layers?
Data can be stored anywhere at different geographical locations:
How sensitive is the data? (Informal blogs, public network sharing posts, public news, New group
messages, Health Records, Criminal Records, Credit History and Payroll)
Who owns the data?
Is data encrypted single Vs multiple keys
Data Mitigation:
Logical isolation of the data of multiple consumers
Provider fully destroys deleted data
Multiple encryption keys
2. User Identity Federation:
Security Risks
Managing Identities across multiple providers
Less control over user lifecycle (off-boarding)
User experience
Mitigations
Federated Identity
Auth for backend integrations
Tighter user provisioning controls
3. Regulatory Compliance:
Data that is perceived to be secure in one country may not be perceived secure in another
country/region. European Union (EU) has very strict privacy laws and hence data stored in US may
not comply with those EU laws (US Patriot Act allows federal agencies limitless powers to access any
corporate data etc)
Lack of transparency in the underlying implementations makes it difficult for data owners to
demonstrate compliance (SOX/HIPAA etc.)
Lack of consistent standards and requirements for global regulatory compliance –data governance
can no longer be viewed from a point-to-point data flow perspective but rather a multi-point to multi-