The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
The cloud computing landscape has revolutionized the way businesses operate, offering scalability, agility, and cost-effectiveness. However, this shift towards cloud-based infrastructure has also introduced new security challenges. Cloud environments are inherently more complex and distributed, making them more susceptible to cyberattacks. Hence, security testing in the cloud has become an indispensable aspect of cloud security management. In the era of cloud-centric operations, safeguarding cloud-based applications has become imperative. This paper comprehensively explores the best practices for security testing in the cloud, providing a roadmap for organizations to fortify their cloud-based assets against potential threats.
41
0
Problem Statement
As organizations increasingly migrate their critical data and applications to cloud environments, there is a growing recognition of the need for robust cloud security measures. The dynamic nature of cloud computing introduces unique challenges and vulnerabilities that have the potential to compromise the confidentiality, integrity, and availability of sensitive information. The current state of cloud security is characterized by several pressing issues that demand comprehensive solutions
1. Data Breaches and Unauthorized Access
2. Insufficient Encryption Practices
3. Inadequate Incident Response and Monitoring
4. Third-Party Security Risks
5. Lack of Standardized Security Best Practices
Background
Security testing in the cloud entails evaluating cloud-based applications and their associated infrastructure for vulnerabilities and potential security weaknesses. This process encompasses various techniques, including penetration testing, vulnerability scanning, and static code analysis. The objective of security testing in the cloud is to identify and remediate vulnerabilities before they can be exploited by attackers, thereby minimizing the risk of data breaches, financial losses, and reputational damage.
Proposed Solution
Cloud services are employed for various purposes in corporate environments, ranging from storing data in services like Box, accessing productivity tools through Microsoft 365, to deploying IT infrastructure in Amazon Web Services (AWS). In all these applications, organizations leverage cloud services to enhance their operational efficiency, promoting agile technology adoption often at a reduced cost. However, the utilization of any cloud service brings forth challenges and risks related to data security in the cloud. The responsibility for securing data created in the cloud, transmitted to the cloud, and retrieved from the cloud lies with the cloud customer. Safeguarding cloud data necessitates visibility and control. The subsequent steps outline a core set of best practices for cloud security, providing guidance to enterprises in achieving a secure cloud environment and addressing cloud security concerns.
Phase 1: Understand cloud usage and risk
Step 1: Identify sensitive or regulated data.
The largest area of risk involves the loss or theft of data resulting in regulatory penalties or intellectual property loss. Data classification engines can categorize data, allowing companies to fully assess these risks.
Step 2: Understand how sensitive data is being accessed and shared.
Sensitive data can be securely held in the cloud, but companies must monitor who accesses it and where it goes. Assessing permissions on files and folders of the cloud environment, along with access context like user roles, user location, and device type, is crucial.
Step 3: Discover shadow IT (unknown cloud use).
Most individuals do not consult their IT team before signing up for a cloud storage account or converting a PDF online. Utilize web proxy, firewall, or SIEM logs to discover unknown cloud services in use, and then assess their risk profiles.
Step 4: Uncover malicious user behavior.
Both careless employees and third-party attackers can exhibit behavior indicating malicious use of cloud data. User behavior analytics (UBA) can monitor anomalies and mitigate both internal and external data loss.
Phase 2: Protect your cloud
Step 1: Apply data protection policies.
With data classified as sensitive or regulated, assign policies governing what data can be stored in the cloud. Quarantine or remove sensitive data found in the cloud and coach users in case of policy violations.
Step 2: Encrypt sensitive data with your own keys.
While encryption available within a cloud service protects data from outside parties, the cloud service provider still has access to encryption keys. Encrypt data using your own keys for full control while allowing users to work with the data seamlessly.
Step 3: Set limitations on how data is shared to managed and unmanaged devices.
Enforce access control policies from the moment data enters the cloud, setting user or group permissions and controlling external sharing through shared links.
Step 4: Apply advanced malware protection to infrastructure-as-a-service (IaaS) such as AWS or Azure.
In IaaS environments, where security responsibilities lie with the user, apply anti-malware technology to the operating systems, applications, and network traffic. Deploy application whitelisting, memory exploit prevention for single-purpose workloads, and machine-learning-based protection for general-purpose workloads and file stores.
Benefits, Cost and risk effective security solution
Why is Cloud Security Testing important?
Cloud security testing is one of the most important things you need to ensure companies cloud infrastructure is safe from hackers. As the cloud computing market is growing rapidly, there is a growing need for application security solutions for the cloud to ensure that businesses are protected from cyber-attacks. Cloud security testing helps to identify potential security vulnerabilities due to which an organization can suffer from massive data theft or service disruption. Cloud security testing is useful for both organizations and cloud security auditors. Companies can use cloud security testing to identify vulnerabilities that hackers can exploit to compromise cloud infrastructure. Cloud security auditors can use cloud security testing reports to validate the cloud infrastructure security posture. Nowadays, all or most of the applications are hosted in the Cloud. Security is one of the major problems for applications. The main objective of Cloud-based security is to stop any threat or malware from accessing, stealing, or manipulating any of our confidential data. It identifies the threats in the system and measures its potential vulnerabilities. Also, it helps in detecting any security risks in the system and helps developers in fixing those problems through coding. Cloud-based Application Security Testing gives the feasibility to host the security testing tools on the Cloud for testing. With this process, tools on the Cloud can test the applications. Previously, in traditional testing, companies need to have on-premises tools and infrastructure. Now, enterprises are adopting Cloud-based testing techniques, which make the process faster, and cost-effective.
Types of Testing Performed in Cloud
Testing in a cloud ensures that functional needs are met and emphasis the needs to be placed on nonfunctional testing. Here are several types of testing performed in the Cloud:
Functional Testing: It ensures requirements are satisfied by the application.
System Testing: This technique evaluates requirements & functionalities from end-to-end perspective.
Acceptance Testing: It ensures that the software is ready to be used by an End-User.
Non-functional Testing: This testing is to ensure that the expected requirements are met, including Quality of service, Usability, Reliability, and Response time.
Security Testing: It examines the app and ensures six basic principles - Authorization, Availability, Confidentiality, Authentication, Integrity, and Non-repudiation.
Scalability and Performance Testing: These testing helps to understand the system behavior under a certain expected load.
Compatibility Testing: It ensures compatibility with various cloud environments and instances of different operating systems.
Disaster Recovery Testing: Recovery Testing allows to evaluate disaster recovery time & ensure that the application is available to the user again with minimum data Loss
Multi-Tenancy testing: This testing refers to software architecture in which its single instance runs on server & serves multiple tenants. In this testing, cloud environment aims at providing a dedicated share of the instance to every tenant including, tenant individual functionality, data, user management, configuration, and non-functional properties
A wide range of testing tools is used in the testing of cloud-based applications. Some of them are as follows:
SOASTA CloudTest: CloudTest is one of the largest, highly scalable, and global load testing platforms that help you to quickly validate if your project is ready for success.
OWASP ZAP (Zed Attack Proxy): It is an open-source security testing tool designed to find vulnerabilities in web applications and it provides automated scanners as well as various tools for manual testing.
LoadStorm: Load Storm has a simple user interface. It can generate scripts representing different user types and allocate the right volume to each.
BlazeMeter: Blaze Meter is delivered as a self-service web application for developers and Quality Assurance (QA) professionals providing a comprehensive easy-to-use load and performance testing solution. It can even generate a report on the most complex load testing requirements and environments.
Nessus: This cloud-testing tool can be used to detect misconfigurations, vulnerabilities, and missing patches. This cloud-testing tool is a boon for banking and healthcare industries as it can generate an audit report as well. This tool is one of the most widely used testing tools and its benefits are not just limited only to healthcare and banking but for other industries as well.
Burp Suite: it is a comprehensive platform for web application security testing. It includes features for scanning, crawling, and analyzing web applications for security vulnerabilities
App Perfect: This tool concentrates on Cloud testing for web applications, wherein we can do functional tests and load tests for web applications using real traffic over the Internet. We can test web applications on different browsers, hardware, and operating system combinations by using the Cloud Testing framework. We can design, develop, and execute your tests using the company's servers over the cloud infrastructure.
Watir: As it is an open-source and effective tool, you do not have to spend anything to use it. It consists of Ruby libraries, which makes the tool more user-friendly and powerful.
Conclusion
Security testing in the cloud represents a crucial element in the cloud security strategy of any organization. Through the adoption of a comprehensive and proactive approach to cloud security testing, organizations can proficiently recognize, prioritize, and address vulnerabilities before potential exploitation. This process aids in safeguarding digital assets, ensuring compliance, and cultivating trust among customers and partners within the dynamic digital landscape.
That the contents of third-party research report/s published here on the website, and the interpretation of all information in the report/s such as data, maps, numbers etc. displayed in the content and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party research report/s published, are provided solely as convenience; and the presence of these research report/s should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these research report/s, you do so at your own risk.
The COVID-19 pandemic and the subsequent lockdown was both chaotic and worrying for enterprises and employees. We saw the great migration to homes; we witnessed the shift of office work to homes; we struggled with physical and mental health issues.This period also saw unprecedented movement in the job market and HR teams had to battle on many fronts.2022 saw the fear of the pandemic receding and with 2023 well underway, we are still exploring the evolving employee-employer relationship.
To better understand this and identify HR priorities for 2023, we held a series of CHRO roundtables under the nasscom Future of Work initiative. This document presents a summary of these discussions and highlights some of the best practices technology companies are implementing.
Digital Enterprise 4.0: Digital Persistence Amid Volatility is the fourth study in the series that analyses responses from 500+ global end-user companies of various sizes, spread across twelve sectors and five major global regions, to assess the year-on-year transition in the contours of digital transformation maturity measured across technology spend and digital investments, mainstream and emerging technology prioritization, business process transformation, outsourcing decisions, cloudification, digital talent strategy, workplace models (onsite vs. WFH/WFA), and ESG adoption. In FY2023, there has been a definitive increase in digital spending and focused value-oriented investments. This trend is expected to continue in FY2024, wherein, companies are expected to increase spend across multiple technologies, in hiring and upskilling digital workforce, and for better ESG compliance preparedness.
In line with nasscom’s Diversity, Equity & Inclusion (DE&I) agenda for the year ‘Real-life Actions for Mainstreaming Inclusion’, we are excited to announce the ‘Recognizing DEI Champions’ Initiative in partnership with Aon. This initiative comprises DE&I Awards & Accolades and a Research Insights Report encompassing the DE&I Assessment Framework, Technology Industry DE&I Respondent Index, along with a Compendium of Best Practices. The report highlights an array of actionable insights derived from the comprehensive 2-stage surveys conducted through Nov 2022 - Jan 2023 and Feb 2023 - March 2023, along with the Assessment Framework which acts as a self-assessing tool that can be used by participating companies to measure and track key parameters in the DE&I space. The report also incorporates a DE&I Respondent Index which assesses each respondent organization’s DE&I score basis its level of disclosure and data submission on key DE&I parameters such as DE&I principles, accountability, inclusive culture, best practices, etc. with respect to different diversity groups like Gender, PwDs, LGBTQIA+, etc. These scores are then combined to arrive at the Industry average scores translated into the Overall DE&I Index. Additionally, an integral part of the report is a Best Practices Compendium which will outline a multitude of innovative and effective initiatives/ interventions adopted by leading companies, that are noteworthy and inspirational.
The report comprises details on how DE&I practices are maturing from nice-to-have social initiatives to strategic business imperatives, that need to be embedded in the organizational culture & values and became an integral part of the day-to-day functioning of businesses. Further, this compendious publication deep dives into each of the 4 key pillars that constitute the nasscom-Aon DE&I Organization Assessment Framework - Overall Focus & Impact, Diversity, Inclusion & Belongingness, and Equity in People Practices. Moreover, the report delineates the best practices adopted by leading organizations for key diversity types such as gender, LGBTQIA+, PwDs, etc., underscores the significance of leadership buy-in and measuring and tracking DE&I practices by capturing key metrics, and also, outlines detailed recommendations for enterprises to establish/fast-track their DE&I journey.
As the data volume generated by the new digital era platforms is continuously and
exponentially increasing and the insights generated from the data are becoming
more and more valuable and critical, there are a bunch of architectural innovations
and reforms happening. May it be IoT sensors which generate critical events related
to device health and operational metrics, or application backend system for an
online advertising platform where millions of events are generated continuously,
there is no shortage of tools and platforms which enables architecting a solid data
lake platform, which can act as a single source of truth for all data. In this paper, we will
have a close look at one of the most disrupting architectures which is getting
extreme popularity in the data domain.
Serverless computing has emerged as a popular approach for building and deploying applications in the cloud. By abstracting away the underlying infrastructure and focusing on the code, Serverless computing enables developers to focus on delivering value to their users, while also reducing operational overhead and cost.
Knative is an open-source platform that provides a set of building blocks for building and running Serverless applications on Kubernetes. With Knative, developers can easily deploy and scale Serverless functions, containers, and applications, without having to worry about the underlying infrastructure.
In this white paper, we will explore the benefits of Serverless computing with Knative, and how it can help organizations improve their agility, reduce costs, and increase developer productivity. In addition, we will highlight some real-world examples of companies using Knative for Serverless computing, and the results and benefits they have achieved.
@nasscom Insights
