UNIT 4

WHAT IS RISK IN CLOUD COMPUTING:

1. Data Breach - Data breach stands for unauthorized access to the confidential data of
the organisation by a third party such as hackers. In cloud computing, the data of the
organisation is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may
affect all of its customers.

2. Cloud Vendor Security Risk - Every organisation takes services offered by different
cloud vendors. The inefficiency of these cloud vendors to provide data security and
risk mitigation directly affects the organisation's business plan and growth. Also,
migrating from one vendor to another is difficult due to different interfaces and
services provided by these cloud vendors.

3. Availability - Any internet connection loss disrupts the cloud provider's services,
making the services inoperative. It can happen at both the user's and the cloud service
provider's end. An effective risk management plan should focus on availability of
services by creating redundancy in servers on cloud such that other servers can
provide those services if one fails.

4. Malicious Malware-Often, when companies implement cloud computing, they

erroneously believe that they’re now safe from traditional malware attacks.
Unfortunately, this isn’t always the case. Although cloud malware’s intended target is
the cloud platform provider, end users can still experience repercussions. For
example, one type of cloud malware attack is hyperjacking, in which a cybercriminal
exchanges a virtual machine’s (VMs) hypervisor for a corrupted version.
5. Limited Visibility Into Network Operations-When businesses use a mix of cloud
platforms and environments as well as on-premises servers, this infrastructure can
become complex and cause limited visibility within a network.

6. Data Loss-Although one of the major reasons to use cloud computing is to safeguard
data and assets, it is not immune to data loss. One significant cause of data loss is
insufficient data backup and recovery. Many startup owners and entrepreneurs
place too much faith in the cloud, meaning they don’t have adequate planning and
resources for data recovery. In the event of physical damage, cyber attacks or insider
threats, data can be permanently lost if regular backups and contingency plans are
not in place. Data loss includes everything from deleted or corrupted data and
hardware malfunctions, to malware attacks, and loss of access due to natural
disasters for which the cloud service provider (CSP) isn’t prepared. In addition to
the loss of intellectual property, businesses may suffer direct financial impact by way
of employee or customer backlash for not protecting their sensitive, personal data.

7. Account Hijacking-This won’t be news to you but, if users write down their cloud
account password or share it with others, the chance of their cloud accounts being
hijacked increases. As a result of this type of negligence, hackers can gain access to
employees’ emails and, from there, can easily access their whole cloud accounts.

8. Malicious Insiders - A malicious insider is a person working in the organisation and

therefore already has authorized access to the confidential data and resources of the
organization. With cloud deployments, organisations lack control over the underlying
infrastructure; making it very hard to detect malicious insiders.
PROCESS OF RISK MANAGEMENT

Risk management is a cyclically executed process comprised of a set of activities for

overseeing and controlling risks. Risk management is the process of identifying, assessing, and
controlling threats to an organisation's system security, capital and resources. Effective risk
management means attempting to control future outcomes proactively rather than reactively
Risk management follows a series of 5 steps to manage risk, it drives organisations to
formulate a better strategy to tackle upcoming risks. These steps are referred to as Risk
Management Process and are as follows:

 Identify the risk

 Analyze the risk
 Evaluate the risk
 Treat the risk
 Monitor or Review the risk

Now, let us briefly understand each step of the risk management process in cloud
computing.

1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organisation's strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organisation should uncover, recognise and describe
risks that might affect the working environment. Some risks in cloud computing
include cloud vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is analyzed.
The likelihood and the consequences of the risks are determined. In cloud
computing, the likelihood is determined as the function of the threats to the system,
the vulnerabilities, and consequences of these vulnerabilities being exploited. In
analysis phase, the organisation develops an understanding of the nature of risk and
its potential to affect organisation goals and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact
they create on information security and the probability of actualizing. The
 organisation then decides whether the risk is acceptable or it is serious enough to call
for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or
modified to achieve an acceptable level. Risk mitigation strategies and preventive
plans are set out to minimise the probability of negative risks and enhance
opportunities. The security controls are implemented in the cloud system and are
assessed by proper assessment procedures to determine if security controls are
effective to produce the desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud infrastructure
on a regular basis including assessing control effectiveness, documenting changes to
the system and the working environment. Part of the mitigation plan includes
following up on risks to continuously monitor and track new and existing risks.

The steps of risk management process should be executed concurrently, by individuals or

teams in well-defined organisational roles, as part of the System Development Life
Cycle (SDLC) process. Treating security as an addition to the system, and implementing risk
management process in cloud computing independent to the SDLC is more difficult process
that can incur higher cost with a lower potential to mitigate risks.

NEED FOR RISK MANAGEMENT

The primary security concern for individuals, businesses, and organisations. If

actualized, some risks may cause a business to close. These risks need to be treated
proactively by implementing risk management strategies. By implementing a risk
management plan and considering the various potential risks or events before they
occur, an organisation may save money and time and protect its future.
This is because a robust risk management plan will help an organisation establish
procedures to prevent potential threats and minimise their impact if they occur. This
ability to understand and control risks allows organisations to be more confident in
their business decisions. Moreover, effective risk management helps organisations to
understand the processes deeply and provide information that can be used to make
informed decisions to provide increased levels of security and ensure that the business
remains profitable.
In cloud computing, the organisation sets risk management plans which help them to
identify appropriate cloud vendors and service providers, make proper service-level
agreements and set up better budgeting plans.
BENEFITS OF RISK MANAGEMENT

Risk management enables organisations to ensure any potential threats to cloud-

deployments security, assets, and business plans are identified and treated before they derail
the organisation's goals. It has far-reaching benefits that can fundamentally change the
decision making process of the organisation. Here are some benefits of robust risk
management:

1. Forecast Probable Issues - The risk management process in cloud computing identifies
all the possible risks or threats associated with the cloud service provider, the cloud
vendor, the organisation, and the users. It helps an organisations to mitigate risks by
implementing appropiate control strategies and create a better business plan.
2. Increases the scope of growth - Risk management in cloud computing forces
organisations to study the risk factors in detail. Thus, the workforce is aware of all the
possible catastrophic events; and the organisation creates a framework that can be
deployed to avoid risks that are decremental to both the organisation and the
environment. Hence, risk management enables organisations to take a calculated risks
and accelerate their growth.
3. Business Process Improvement - Risk Management requires organisations to collect
information about their processes and operations. As a result, organisations can find
inefficient processes or the scope for improvement in a process.
4. Better Budgeting - Organisations implementing risk management strategies often
have clear insights into the finances. Thus, they can create more efficient budgets to
implement risk management plans and achieve the organisational goals.
DATA SECURITY IN CLOUD COMPUTING:

Cloud data security refers to the technologies, policies, services and security controls
that protect any type of data in the cloud from loss, leakage or misuse through
breaches, exfiltration and unauthorized access.
Data security refers to the process of protecting data from unauthorized access and
data corruption throughout its lifecycle. Data security includes data encryption,
hashing, tokenization, and key management practices that protect data across all
applications and platforms.

 Ensuring the security and privacy of data across networks as well as within
applications, containers, workloads and other cloud environments
 Controlling data access for all users, devices and software
 Providing complete visibility into all data on the network

The cloud data protection and security strategy must also protect data of all types. This
includes:

 Data in use: Securing data being used by an application or endpoint through user
authentication and access control
 Data in motion: Ensuring the safe transmission of sensitive, confidential or
proprietary data while it moves across the network through encryption and/or other
email and messaging security measures
 Data at rest: Protecting data that is being stored on any network location, including
the cloud, through access restrictions and user authentication
SECURITY ISSUES IN CLOUD COMPUTING

1. Misconfiguration

Misconfiguration of cloud infrastructure is a leading contributor to data breaches. If

an organization’s cloud environment is not configured properly, critical business data
and applications may become susceptible to an attack.
Because cloud infrastructure is designed to be easily accessible and promote data
sharing, it can be difficult for organizations to ensure their data is only being accessed
by authorized users. This issue can be exacerbated due to a lack of visibility or control
of infrastructure within their cloud hosting environment.
In short, misconfiguration poses serious cloud security issues to businesses and the
fallout can detrimentally impact day-to-day operations. To prevent misconfigurations,
those responsible for overseeing their organization’s cloud solution should be familiar
with the security controls provided by their cloud service provider.

2. Cyber attacks

Cybercrime is a business, and cybercriminals select their targets based upon the
expected profitability of their attacks. Cloud-based infrastructure is directly accessible
from the public Internet, is often improperly secured, and contains a great deal of
sensitive and valuable data. Additionally, the cloud is used by many different
companies, meaning that a successful attack can likely be repeated many times with
a high probability of success. As a result, organizations’ cloud deployments are a
common target of cyberattacks..

3. Malicious Insiders
Insider threats are a major security issue for any organization. A malicious insider already
has authorized access to an organization’s network and some of the sensitive resources that
it contains. Attempts to gain this level of access are what reveals most attackers to their
target, making it hard for an unprepared organization to detect a malicious insider.

On the cloud, detection of a malicious insider is even more difficult. With cloud
deployments, companies lack control over their underlying infrastructure, making many
traditional security solutions less effective. This, along with the fact that cloud-based
infrastructure is directly accessible from the public Internet and often suffers from security
misconfigurations, makes it even more difficult to detect malicious insiders

4. Lack of Visibility

An organization’s cloud-based resources are located outside of the corporate network

and run on infrastructure that the company does not own. As a result, many traditional
tools for achieving network visibility are not effective for cloud environments, and some
organizations lack cloud-focused security tools. This can limit an organization’s ability to
monitor their cloud-based resources and protect them against attack.

4. Denial of Service (DoS) attack –

This type of attack occurs when the system receives too much traffic. Mostly DoS attacks
occur in large organizations such as the banking sector, government sector, etc. When a DoS
attack occurs, data is lost. So, in order to recover data, it requires a great amount of money
as well as time to handle it.

5.Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use a
feature, etc. are the main problems caused in IT Company who doesn’t have skilled
Employees. So it requires a skilled person to work with Cloud Computing.

6. User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by a hacker then the hacker has full authority
to perform Unauthorized Activities.

DATA SECURITY CHALLENGES IN CLOUD COMPUTING:

 Lack of data visibility and control

 Cloud misconfiguration and how it can leave data open and unprotected
 Unauthorized access to cloud data
 Cyber attacks and data breaches
 Denial of service attacks
 Hijacking of accounts
 Insecure interfaces and APIs
 Malicious insiders
 Data loss in cloud computing
 Oversight and negligence in cloud data management
ADVANTAGES OF CLOUD SECURITY:

1. Data protection: Cloud security solutions are specifically designed to ensure data
security through access control and data loss prevention. The data remains
confidential and protected from unauthorized access both at rest and in transit.

2. Access management: Cloud security implements multi-factor authentication to

ensure only authorized individuals can access the cloud.

3. Real-time threat detection: Advanced CSPs provide real-time monitoring and

automated alerts for protection from cyber attacks, such as DDoS attacks (A
distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from
many distributed sources, such as a botnet DDoS attack)and SQL injections(SQL
injection is a code injection technique that might destroy your database.SQL injection
is one of the most common web hacking techniques.SQL injection is the placement of
malicious code in SQL statements, via web page input. It is a type of an injection attack
that makes it possible to execute malicious SQL statements. These statements control
a database server behind a web application. Attackers can use SQL Injection
vulnerabilities to bypass application security measures)

4. Cost efficiency: Cloud security helps organizations eliminate the costs of setting up
and maintaining a complex security infrastructure on-premise. Instead, this is handled
by CSPs in accordance with the highest industry standards.

5. Cloud compliance: Cloud security solutions often align with international and industry
regulatory requirements. However, organizations must remain vigilant as regulations
frequently change.

6. Scalability: Cloud security solutions are easy to scale, no matter the size of the
business. If necessary, security measures are expanded to cover a growing
infrastructure without making significant changes to the cloud architecture.

7. Network security: Cloud security ensures safe data flow between devices and servers
through firewalls, encryption, and VPNs.

8. Application security: Applications are protected with firewalls and vulnerability

scanning that secures users’ data.

9. Endpoint security: Cloud security protects endpoint devices such as smartphones,

tablets, and laptops to ensure secure access to the cloud.

10. Centralized security: Cloud monitoring solutions analyze potential threats to multiple
entities from a centralized place. This enables timely software updates,
establishing disaster recovery plans, and securing protection on all devices.
 11. Redundancy and availability: Cloud security ensures continuity by making the cloud
services available even if some components experience failure.

DISADVANTAGES OF CLOUD SECURITY:

1. Bandwidth issues –
For perfect execution, clients need to arrange in like manner and not pack expansive
sums of servers and capacity gadgets into a little set of information centers.
2. Without excess –
A cloud server is not one or other overabundance nor reinforced. Since development
can bomb to a awesome degree, go without from getting seared by buying an
overabundance course of action. Whereas this can be an additional cost, much of time
it is defended, in spite of all inconvenience.
3. Data transfer capacity issues –
For idealize execution, clients ought to plan moreover and not gather colossal amounts
of servers and capacity contraptions in a small course of action of server ranches.
4. More control –
At the point once you move organizations to cloud, you move your data and
information. For organizations with insides IT staff, they won’t have choice to bargain
with issues all alone. Be that because it may, Stratosphere Systems has an all day, each
day live helpline that can address any issue right absent.
5. No Redundancy –
A cloud server isn’t excess nor is it supported up. As innovation may fall flat here and
there, maintain a strategic distance from getting burned by obtaining a excess arrange.
In spite of fact that it is an additional taken a toll, in most cases it’ll be well worth it.
CLOUD DIGITAL PERSONA AND CLOUD SECURITY-

The first persona is what we like to call the Optimist. The Optimist loves the cloud and cloud
service providers – best thing since sliced bread in their opinion. The best thing about the
cloud, in their opinion, is the security. The cloud is secure by default! The Cloud service
provider takes care of most things, we just need to tune the rules a little bit. No more mucking
about with Firewalls or anything. Life is good!

The Pessimist does not believe in the cloud. They also believe that the cloud does not matter
– such an overrated concept. Why would I trust someone else’s network and hardware, and
give up so much control?

The final security persona is the Realist. They know and understand how the Shared Security
Responsibility model works. They are aware of the various security options that the CSP
provides – and their limitations. Features like automatic scaling and deployment across
multiple availability zones are understood and used to maximal advantage.

Data should be protected, irrespective of it being accomplished on a desktop, a network

propel, an isolated laptop or in a cloud.

One of the other facets of data security that is required to consider for data in the cloud is
the levels required, that is, how is data to be protected

Level1: Transmission of the document utilizing encryption protocols

Level2: Access control to the document itself, but without encryption of the content
Level3: Access control (including encryption of the content of a data object)
Level4: Access control (including encryption of the content of a data object) also
encompassing privileged administration choices

Users can get control over Force.com only after ensuring authentication. Users are furnished
with a single form or sign-in sheet to go in their credentials. After authentication, users sign
in
and they get access to any Force.com encompassing their own applications such as Salesforce
CRM, Portals, Sites, VisualForce pages without re-authentication

Many organizations use one time sign-in method to make things simpler and regulate client
authentication over a collection of applications. Force.com carries two single sign-on options:
1. Federated authentication: Uses benchmark protocols to broadcast between the
organization and the Force.com platform for authentication purposes. The organization
configures
the platform to use SAML (Security Assertion Markup Language).
1. The user navigates to the application of the SP.

2. SP requires the user to be authenticated at the IdP (SP may have mechanisms to check

whether the user is currently authenticated at the IdP using session data). The

unauthenticated user is redirected to the login page of the IdP.

3. The user authenticates with the IdP (by entering login credentials).

4. If the user credentials are properly validated, the user is authenticated and provided an

access token
5. The user goes back to the application with the obtained access token and the application

allows the user to access the application.

Medium, as an SP allows you to authenticate with a third-party service like Google, Facebook
or Twitter as the identity provider. When you sign in to Medium by clicking “Sign in with
Google” (or with Facebook/Twitter), Google (or Facebook/Twitter) acts as the trusted IdP that
authenticates you on behalf of Medium and relays the authentication decision to Medium.

2. Delegated authentication: Enables an organization to incorporate Force.com cloud

applications with an alternative authentication procedure, for example, an LDAP (Lightweight
Directory Access Protocol) service or authentication utilizing a token rather than a password.
The delegated administration can be set up to validate users in three distinct combinations:
(i) Password validation: Username and password are validated contrary to the delegated
administration rather than of the interior Salesforce password store.
(ii) Token validation: Users should first authenticate to their enterprise and the enterprise
in turn should conceive a Salesforce by dispatching (via HTTP POST) the username
and a token to Salesforce for validation by the delegated authority.
(iii) Hybrid model: While accessing the Salesforce website, users are required to use token
validation, but they are permitted to validate using password validation on a consumer
application.
CLOUD SECURITY SERVICES- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY

 Confidentiality makes sure that only authorized personnel are given access or
permission to modify data
 Integrity helps maintain the trustworthiness of data by having it in the correct state
and immune to any improper modifications
 Availability means that the authorized users should be able to access data whenever
required

Example-

Consider an ATM that allows users to access bank balances and other information. An ATM
incorporates measures to cover the principles of the triad:

 The two-factor authentication (debit card with the PIN code)

provides confidentiality before authorizing access to sensitive data.
 The ATM and bank software ensure data integrity by maintaining all transfer and
withdrawal records made via the ATM in the user’s bank accounting.
 The ATM provides availability as it is for public use and is accessible at all times.

1) Confidentiality-

 It’s about access control for users of data to prevent unauthorized activities. This
means that only those authorized can access specific assets. Unauthorized users are
actively prevented from obtaining access, thus maintaining confidentiality.
 In the case of the payroll database of employees in an organization, only authorized
employees to have access to the database. Additionally, within that group of
authorized users, there could be more stringent limitations added on precise
information that the group is allowed to access.
 Another good example of confidentiality is the personal information of e-commerce
customers. Sensitive information like credit card details, contact information,
shipping details, or other personal information needs to be secured to prevent
unauthorized access and exposure.
 Violation of confidentiality can happen in many ways. It can occur through direct
attacks, which are specifically designed to gain illegal access to systems, databases,
applications, etc. For example, escalation of system privileges, network
 reconnaissance, electronic eavesdropping, man-in-the-middle attacks, etc. Human
error can also be a reason for violation just as much as inadequate security
measures.
 Human errors include weak passwords; shared user accounts, shoulder surfing, no
data encryption, poor, or absence of authentication systems, theft of physical
equipment and storage devices. etc.
 There are several countermeasures that can be taken to protect confidentiality. It
includes data classification and labeling; strong authentication mechanisms, tight
access controls, steganography, data encryption during a process, transit, and
storage, remote wipe capabilities, and education and training on cybersecurity for
all.

2) Integrity
 Integrity is all about making sure that data has not been messed with or
manipulated, and therefore it is authentic, correct, and reliable.

 For example, in e-commerce, customers expect products, pricing, and other

related details to be accurate and that it will not be altered once the order is
placed. Similarly, in banking, a sense of trust regarding banking information
and account balances has to be established by ensuring that these details are
authentic and have not been tampered with.

 Ensuring data integrity involves protecting the data at all times, including
when it is being used, transmitted, or stored. This includes implementing
measures to prevent unauthorized access, data corruption, or tampering
during these various stages.

 It can happen directly through the intrusion of detection systems,

modification of configuration files, change of system logs to avoid detection)
or human errors.

 Countermeasures like encryption, digital signatures, hashing, and digital

certificates can help maintain data integrity. Aside from these, intrusion
detection systems, strong authentication mechanisms, version control,
auditing, and access controls can ensure integrity.
3) Availability

 Systems, applications, and data will lose their value if they are not accessible by their
authorized users whenever they require them. Availability is the accessibility of
networks, systems, applications, and data by authorized users in a timely fashion
whenever resources are required.

 Availability can be compromised if there is a hardware or software failure, natural

disasters, power failure, or human error. DDoS attacks are one of the more common
reasons for the violation of availability.

 Availability can be ensured through network, server, application, and service

redundancy. Hardware fault tolerance in servers and storage is another good
countermeasure to avoid violation of availability. DoS protection solutions, system
upgrades, regular software patching, comprehensive disaster recovery plans,
backups, etc. are all ways to ensure availability.

 Data Backup Plan Data backups are an absolutely crucial part of data security and an
organization should be adept to refurbish data in the happening of data corruption
or hardware failure. Backups should be completed on a normal basis and the
frequency depends upon how much data an organization is agreeable to lose in the
event of loss. Backups should also be occasionally refurbished to check systems that
should double-check that the method are functioning correctly inside the particular
time limit before the requirement for the backup really arises.

 Disaster Recovery Plan (DRP)

A DRP is a design that is utilized to retrieve rapidly after a catastrophe with a
smallest of influence to the organization. DR designing should be part of the primary
stage of applying IT systems. DR designs are evolved in answering to risk evaluations
and conceived to mitigate those risks. Risk evaluations work out the frequency and
span of promise disasters. This will permit an organization to conclude which
technologies to apply to accomplish a befitting grade of recovery.
SECURITY AUTHORIZATION CHALLENGES IN THE CLOUD

Authorization entails for double-checking that only authorized persons are able to get
access
to resources within a system. In an effort to carry out authorization,
 the first step is to authenticate the individual,
 the second step is to get information about the individual
 the last step is to permit or refuse access to the individual based on the applicable
principles for that resource.

An authorization service is responsible for assessing an authorization query, assembling

essential data about the individual and the asset and assessing a principle to work out if
the access to should be conceded or denied. Cloud computing is not a single capability, but
an assemblage absolutely of crucial characteristics that are manifested through diverse
kinds of expertise deployment and service models.

The use of cloud computing is quickly catching all over the world at an astonishing stride
because of its substantial advantages in decreased cost of IT services by deploying them
over the Internet.
Possible benefits are rather obvious:
● Ability to reduce capital expenditure.
● Share the services double-checking often apparently unlimited scalability.
● The proficiency to dial up usage or pay as you use when needed.
● Reduce IT associated costs and thereby enhance comparable benefit along the base line

Though cloud computing services have exclusive benefits, there are critical matters
pertaining to confidentiality, data integrity, security, accessibility, catastrophe
preparedness, levy significances and other risks.

Most of these challenges originate out of loss of physical control over IT assets and
services. Major flops, for example, Amazon Web Services are due to shattering of
redundant power system and loss of data.

A redundant power supply is when a single piece of computer equipment operates using
two or more physical power supplies. Each of the power supplies will have the capacity to
run the device on its own, which will allow it to operate even if one goes down

A power failure that shuts down the system may be acceptable in some applications.
However, such a shutdown is not acceptable in a cloud computing environment.

In industrial applications, a system that contains the minimum power modules doesn't offer
redundancy and won't have the ability to function if a failure occurs. This type of system
leaves a company vulnerable to major power interruptions if a system issue occurs.

In Amazon Web Services loss of data occurs due to shattering of redundant power
system
SECURE CLOUD SOFTWARE REQUIREMENTS-

Requirements include-

Scalability- Cloud scalability in cloud computing refers to the ability to increase or

decrease IT resources as needed to meet changing demand. Scalability is one of the
hallmarks of the cloud and the primary driver of its exploding popularity with
businesses.

Adaptability- Cloud native adaptability refers to applications that are developed to

run specifically in any type of cloud (private, public, or hybrid). While discussing the
concept of cloud-native adaptability, the emphasis is on where the application
resides in a particular instance, and its build and deployment locations are
completely irrelevant. This is achieved with the help of components known as
microservices, which help the application to blend into any cloud environment.
Microservices is a unique approach in which a single application is an agglomeration
of multiple services that are independent of each other. Microservices allow a large
application to be separated into smaller independent parts, with each part having its
own realm of responsibility. The random nature of the cloud makes it impossible to
track an application running on it; this is where microservices comes in.
Microservices can be individually scaled and automated, and orchestrations can be
made seamlessly.

Manageability- Manageability enables you to achieve consistency across your hybrid

environment by allowing you to easily provision, configure and monitor resources in
an individual cloud service. This helps ensure that users don't experience any
disruptions when moving between on-premises data centers or public clouds.
SECURE CLOUD SOFTWARE TESTING

Cloud testing is the process of using the cloud computing resources of a third-party service
provider to test software applications. This can refer to the testing of cloud resources, such
as architecture or cloud-native software as a service (SaaS) offerings, or using cloud tools as
a part of quality assurance (QA) strategy.

Cloud testing can be valuable to organizations in a number of ways. For organizations testing
cloud resources, this can ensure optimal performance, availability and security of data, and
minimize downtime of the associated infrastructure or platform.

Organizations test cloud-based SaaS products to ensure applications are functioning properly.
For companies testing other types of applications, use of cloud computing tools, as opposed
to on-premises QA tools, can help organizations cut down on testing costs and improve
collaboration efforts between QA teams.

Types of cloud testing-

Testing of cloud resources. The cloud's architecture and other resources are assessed for
performance and proper functioning. This involves testing a provider's platform as a service
(PaaS) or infrastructure as a service (IaaS). Common tests may assess scalability, disaster
recovery (DR), and data privacy and security.

Testing of cloud-native software. QA testing of SaaS products that reside in the cloud.

Benefits of cloud testing

Here are some of the primary benefits associated with cloud testing:

Cost-effectiveness. Cloud testing is more cost-efficient than traditional testing, as customers

only pay for what they use.

Availability and collaboration. Resources can be accessed from any device with a network
connection. QA testing efforts are not limited by physical location. This, along with built-in
collaboration tools, can make it easier for testing teams to collaborate in real time.

Scalability. Compute resources can be scaled up or down, according to testing demands.

Faster testing. Cloud testing is faster than traditional testing, as it circumvents the need for
many IT management tasks. This can lead to faster time to market.

Customization. A variety of testing environments can often be simulated.

Simplified disaster recovery. DR efforts for data backup and recovery are less intensive than
traditional methods.

Challenges with cloud testing

Cloud testing has its drawbacks. A lack of standards around integrating public cloud resources
with on-premises resources, concerns over security in the cloud, hard-to-understand service-
level agreements (SLAs), and limited configuration options and bandwidth can all contribute
to delays and added costs. Here are some of the broad challenges associated with the use of
cloud testing:

Security and privacy of data. As with broader use of the cloud, security and privacy concerns
linger with cloud testing. In addition, as the cloud environment is outsourced, the customer
loses autonomy over security and privacy issues.

Multi-cloud models. Multi-cloud models that use different types of clouds -- public, private
or hybrid -- sometimes across multiple cloud providers, pose complications with
synchronization, security and other domains.

Developing the environment. Specific server, storage and network configurations can lead to
testing issues.

Replicating the user environment. Though the application, ideally, would be tested in a
similar environment to that of end users, it is not always possible to avoid discrepancies.

Testing across the full IT system. Cloud testing must test the application, servers, storage and
network, as well as validate these test interactions across all layers and components.

Potential bandwidth issues. Bandwidth availability can fluctuate due to the provider's
resources being shared with other users.
Examples of cloud testing

Functional testing. Includes smoke testing,white box testing, black box testing, integration
testing, user acceptance testing and unit testing.

System testing. Tests application features to ensure they are functioning properly.

Interoperability testing. Checks that application performance is maintained across changes

made to its infrastructure.

Stress testing. Determines the ability of applications to function under peak workloads while
staying effective and stable.

Latency testing. Tests the latency time between actions and responses within an application.

Performance testing. Tests the performance of an application under specific workloads and
is used to determine thresholds, bottlenecks and other limitations in application
performance.

Availability testing. Ensures an application stays available with minimal outages when the
cloud provider makes changes to the infrastructure.

Multi-tenancy testing. Examines if performance is maintained with additional users or

tenants accessing the application concurrently.

Security testing. Tests for security vulnerabilities in the data and code in the application.

Disaster recovery testing. Ensures cloud downtime and other contingency scenarios will not
lead to irreparable damages, such as data loss.

Browser performance testing. Tests application performance across different web browsers.

Compatibility testing. Tests application performance across different operating systems

(OSes).
CLOUD TESTING VS CONVENTIONAL TESTING
Testing
Conventional Testing Cloud Testing
Parameters

Primary Testing  Check interoperability,

Objective compatibility, usability.  Verifies the quality of performance
 Verifies the quality of system and functions of SaaS, Clouds, and
function and performance applications by leveraging a cloud
based on the given environment
specification

Testing Costs  Costing remains high due to

 Only have to pay for operational
hardware and software
charges. Pay only what you use.
requirements

Functional  Validating functions (unit and  Testing end-to-end application

Testing system) as well as its features function on SaaS or Cloud

Testing  A pre-fixed and configured test  An open public test environment

Environment environment in a test lab with diverse computing resources

Integration  Component, architecture, and

 SaaS-based Integration Testing
Testing function based testing

Security Testing  Testing security features based on

 Testing security features based
cloud, SaaS and real time tests in
on process, server and privacy
vendors cloud

Performance and  Performed a fixed test  Apply both real time and virtual
Scalability environment online test data
Testing