Saturday, June 25, 2011
Secure Clouds? A Weekend Testing Follow-Up
With the stories in the news lately about security breaches with cloud services and server farms being raided by the FBI, it seemed like a good idea to have a discussion around testing for security in Cloud services and considering some of the implications and challenges with how to test them and what to test for. Our mission for today was as follows:
We all are the test team for a medium sized company (say 1,000 people). Due to the desire to spread to small regional offices, but keep key documents available we are looking at cloud options to store important documents. we want to make this as easy for our users as possible, so we are exploring numerous options in the marketplace today. There are some famous names like Dropbox, Sugar Sync, etc. that we can consider. The big concern with corporate, however, is security. How can we make sure that what we put online is safe?
Our mission is to explore testing options, and examine various services (pick additional versions if the two I’ve mentioned don’t float your boat), and report back on what we can do to test and confirm this approach (or not confirm it).
Some of the first thoughts that we came up with were to determine exactly what was meant by "safe" and if "safe meant "private" or if "safe" meant "secure". as maddening as testers can be, it's important to realize that these are markers driven by context and perception. There is no way to be 100% sure that a system is safe; likewise there's no such thing as a 100% safe system. The bigger challenges some into play in how to determine if a cloud based system is appropriate for sensitive documents that require a higher level of security.
In the first hour we brainstormed and drafted some ideas that were meant to help us guide our testing efforts and we captured all of that in typewith.me, a nice little tool for collaborative note taking. Each section that goes in is color coded for the participant, and chat transcripts can also be logged. At the end, a single document can be generated and presented, which is what we did.
If you'd like to check out the experience report or the typewith.me doc as well as to get a full list of attendees, please feel free to check out the experience report here.