| certifications | cloud - Erik Mikac
How to Develop a Cloud Testing Strategy in 2021
As cloud technology becomes more and more complex, the need for thorough testing becomes more necessary. Sometimes the level of complexity can be intimidating, creating a sort of analysis paralysis for the cloud team. Questions such as what to test, how to test it, and definitions of success quickly take center stage. Luckily there are a number of tools that can be used for cloud-based testing. Throughout this post, we will discuss the definition of cloud testing, types of cloud testing, different techniques, and six different success factors.
What is Cloud Testing?
Cloud testing is a method of testing that utilizes cloud resources to test a solution's infrastructure. While that definition may seem rather nebulous at first, it will make sense more once we delve into concrete examples. The most common elements of testing using this method are penetration testing, load testing, stress testing, and vulnerability testing. Let's take a quick glance at each of these tests to round out our knowledge on cloud testing.
What is Penetration Testing?
Penetration testing, or pen testing, is a form of ethical hacking to determine whether or not an intruder can breach a system's security. Oftentimes with cloud computing, this is ensuring that API's are secure. They should only be accessed by those with the proper authorization.
Remember that all cloud components are created using infrastructure as code. Infrastructure as code means that all hardware configurations are written into files that are read by the cloud. The computation resources on the cloud then create the requested resource. With that being said, one possible penetration test would be to access the Git repository that these files are stored. While this is the most obvious example, there are plenty of more nuanced avenues of attack that a hacker can take.
The sheer amount of hacking possibilities make these tests critical. While security is very important, a system is only as good as the amount of users who can use it. That is where our next cloud technique comes in: load testing.
What is Load Testing?
Load testing is a technique used to determine whether or not a system can handle an expected amount of traffic. Load testing is very similar to stress testing, except that stress testing is verifying the system operates under unusually heavy loads.
Load testing in the cloud is important because of latency issues inherent with cloud integration. After all, there is a great possibility that your cloud application will still need to read and write to on-premise resources. A load test will verify that these CRUD operations are happening within an acceptable time frame. Load testing is extremely common and critically important to any production website. The last cloud testing technique we'll discuss in vulnerability testing.
What is Vulnerability Testing?
Vulnerability testing is similar to pen testing, but with a different approach. A vulnerability test does not actually involve ethical hacking. It uses a suite of tools to scan a system for vulnerabilities. It is important that these differences are pointed out, as they are often mistakenly used interchangeably.
Major cloud providers will usually have some sort of vulnerability testing suite available to their end-user. One such example is AWS inspector. AWS inspector will scan your entire infrastructure for possible flaws. It will also verify that all EC2 instances have the appropriate network access. Leveraging this tool will greatly improve the security and compliance of your infrastructure.
For instance, Amazon Inspector may discover that one of your EC2 instances (i.e virtual machines) provides unauthorized access to numerous ports. Or it will discover that one of your S3 buckets is available to the public. It should be noted that Azure has its own version called the Security Center.
Oftentimes these tests will be contracted out to third parties with experience in the matter. They will either do it themselves, or provide testing as a service. Both of these techniques are known as TaaS. Let's delve into the difference between TaaS and Cloud Testing.
TaaS vs. Cloud Testing
The biggest difference between TaaS and Cloud testing is whether or not the testing is occurring in-house or not. Additionally, TaaS refers to third party test suites that the organization uses to perform testing. Cloud Testing, on the other hand, is a broader term for testing a cloud's infrastructure and its applications.
In a previous example of cloud testing, we mentioned pen testing. If the pen testing is performed by a third-party, or a third party provides the tools and environment to do so, then this would be TaaS. Here's a good rule of thumb: if an outside vendor is executing the tests or providing the tools for testing, then it is TaaS.
Now we have a better understanding of different cloud testing techniques and how they differ from TaaS. However it is not entirely clear what cloud testing factors lead to success. A test doesn't do a lot of good if it is not being performed efficiently. With that in mind, let's take a look at different cloud testing success factors. It turns out there are six of them, and they are:
- Data integrity
- Proper functionality
How Much to Test?
On the other hand, some tests like vulnerability testing really require 100% compliance. Every remediation found with regards to security and compliance should be addressed. After all, would you feel comfortable with 80% of your doors locked every night? Neither would I.
What Performance Level is Acceptable
It is important that cloud applications perform at an acceptable level. Database operations should execute in a timely manner, web pages should load promptly, and performance should be comparable on all or most browsers. One of the best ways to discover these issues is by performing load tests with agreed upon benchmarks.
For instance, let's say it takes twenty seconds for a page to load. That is clearly unacceptable. However the load test may indicate that the more people who access the sight, the longer it takes for the site's images to load, thereby causing the delay. A possible remediation for this load test would be to ensure all images are lazy loaded. Another solution could be to determine whether it is possible to compress the format. The bottom line is that performance should be analyzed at every layer of the site: from front-end all the way to back-end.
How to Test Your System's Availability
An application is only as good as it is available. It is imperative that the cloud based application is ready 24/7 to execute its intended purpose. Luckily, availability is really where cloud technology shines. By leveraging Infrastructure as a Service, an end-user can ensure their system has uptime up to 99% of the time.
This can be accomplished by verifying that the configuration files spin up new VMs when traffic increases. This is a hallmark example of elasticity when referring to the cloud. In addition to scaling out hardware, it is important to check whether or not the system is properly load balanced.
Your team should perform a stress test to verify that EC2 instances are scaling when they are supposed to, and that load balancing is occurring in a manner that makes the most sense. There are several types of load balancing techniques: everything from round robin, to fixed weighting, to resource based. Test several different methods to determine which one works best for your application.
How to Ensure Connectivity
Connectivity is similar to availability, but with one distinct difference. Connectivity refers to whether or not all critical components of an application are accessible. The most common foible encountered with regards to connectivity is expired SSL Certificates. An SSL certificate is required for secure internet data transmissions on HTTPS. However they do expire, and when they do the site goes down. Keep in mind, SSL certificates last one year. Make sure alerts are set ups to remind the team that they need to renew them. Better yet, write a cron job or something similar to renew them automatically.
Connectivity is also tested via integration tests. Integration tests are executed whenever code is deployed to different environments via CI/CD. Their purpose is to ensure the business logic still has access to the database and the front-end. It is critical to ensure integration tests are performed upon every production deployment.
How to Verify Data Integrity
Data Integrity issues are the scariest issues there are. Data Integrity issues can lead to customer data being erased or other critical data that is very difficult to retrieve. Verify that all tests perform database CRUD operations and return the expected value. This can be done by using an in-memory database like H2 or inserting them into a cloud based test data storage. Make sure the business logic is performing the correct operations.
The other side of data integrity is ensuring that the data is always available to the user. Data availability is cloud architecture's forté. Verify that all data is replicated in different regions of the cloud. That way if a particular region goes down, the data will be accessible from some other region, albeit with higher latency.
How to Ensure Proper Functionality
Ensuring proper functionality ties into all of the other success factors. After all, Data integrity issues can occur because of improper functionality. Or the system's availability can be affected by code not performing as it should.
The key to ensuring proper functionally is testing consistently and frequently. Oftentimes, functional testing can be caught at the unit test level. It is best practice to integrate all unit tests into the DevOps CI/CD pipelines. All three major cloud players have their own pipeline.
IaaS (Infrastructure as a Service) is one of the cloud's biggest selling points. After performing all required configurations, deploy the infrastructure to a testing environment and verify everything is functioning properly. Doing so will save a lot of headaches in the long run.
Developing a cloud testing strategy is no easy feat. It takes a lot of research and a dedicated team. However by executing each technique discussed and reviewing the success factors, your organization will mitigate any risks that may arise in your cloud environment.