What do you need to know about security and
Here's a spoiler: There are reasons to be concerned when it comes to
First, let's take a quick look at general cloud security issues.
Control Over Servers
Perhaps the most basic concern most users have regarding cloud security is that they do not have physical or underlying administrative control over the servers on which their software is deployed. In the pre-cloud world, on-premises deployment was the rule, and an organization's IT staff would have control of the servers all the way down to bare metal.
This meant that security could be configured and implemented to suit the specific requirements of the organization. If there was a breach, it was the result of an unanticipated vulnerability, or one which had not been adequately addressed, and did not arise from conditions that were fundamentally beyond the control of in-house IT.
In the cloud, of course, this relationship is reversed to a significant degree. A cloud user's IT staff will have control only at a fairly high level of abstraction—typically, with the deployment of virtual machines and containers, or in the case of serverless deployment systems such as AWS Lambda, strictly at the level of code. Control at all lower levels is in the hands of the cloud service provider (CSP).
What Cloud Security Requires
This means that:
- Cloud service providers must maintain a very high level of security in order to retain the trust of their clients.
- Cloud users and providers of
cloud basedapplications must take full responsibility for security at the levels where they do have control.
In other words, cloud security requires dual responsibility. If either service providers or users fail to adequately deal with security, it may result in potential or real security breaches.
Along with the general concern over responsibility for cloud security, there are some specific cloud-based security issues. These include:
- Insider access at cloud service provider sites. This is a more specialized issue tied into provider responsibility. CSPs need to closely screen all employees and place strict controls
overaccess to sensitive user data.
- Communication with cloud services. Users must communicate with cloud servers by means of Internet routes and carriers of varying security, with little or no control over the paths taken by the data.
- Data shared on a single server. CSPs may store multiple users' data on the same server. When this happens, they must take active steps to isolate each user's data.
- Recycling of virtualized instances. If cloud-based applications reuse VMs and containers, individual client data may be compromised. In this case, providers of cloud-based software and services are largely responsible for security.
Cloud Based Testing and security
Security and the Test Process
Perhaps the most important of these involves the sensitivity of the test process itself. Whether it is a matter of bug fixes or new features, software under development often requires an added level of security in order to prevent the details (or even the general nature) of upgrades and fixes from becoming known to competitors, industry-based journalists, or the general public.
Leaked development information can reveal vulnerabilities, give competitors a chance to rush-release cloned versions of new features, and provide fragmentary and often inaccurate information to industry-based rumor mills.
Security and Test Data
In many ways, raw test data is equally sensitive. It can reveal not only vulnerabilities, but also specific ways in which they can be exploited, and that can be extremely valuable for competitors who are developing similar software. In many respects, test data is as sensitive as source code itself, and depending on the circumstances, it may even be more sensitive.
Should You Test in the Cloud?
Does this mean that you shouldn't test your software in the cloud?
Testing in the Cloud: Practical Reasons
Hardly. For one thing, in many cases,
Testing in the Cloud: Economic Reasons
Cloud based testing also makes good economic sense. This is particularly true when you use a
Testing in the Cloud: Security is Good
The truth is that
How Cloud-Based Test Security Works
Sauce Laboratories, for example, provides a high-security tunnel for test data, with a single-use virtual test machine which is destroyed when you close the tunnel.
Good test security, of course, requires a high level of security consciousness on your part, but this is always the case, with any kind of security, in any environment. The key take-home point is that a first-rate
Michael Churchman started as a scriptwriter, editor, and producer during the anything-goes early years of the game industry. He spent much of the 90s in the high-pressure bundled software industry, where the move from waterfall to faster release was well