Security considerations for tests running on the cloud

When you run a VU Schedule on the IBM Softlayer cloud, you expose the test data to flow in the public network. The test assets are transmitted and stored temporarily in the cloud agents and are carried back to your system under test over the public Internet. Consider certain security practices when running a test or schedule on the cloud.

How cloud run works

When you initiate a cloud execution, your machine contacts a cloud service that exists on the public Internet. The purpose of this service is to dynamically provision the agent virtual machines (VMs) involved in the current cloud run. Following list displays the lifecycle of a VM instance:
  • VM instance lifecycle
    • Created explicitly for the current run.
    • Never shared among different customers.
    • Deprovisioned/deleted after the cloud execution.
  • VM image security
    • Remote login is disabled. This means the support personnel do not have any mechanism to remotely log in to the VM.
    • Contain firewalls to only allow outgoing traffic.
    • Based on images set up by IBM security.
    • Frequently updated to contain the latest security updates posted by RedHat 7.2.
After the agents are provisioned, your test assets are transmitted directly to the new VMs. The workload is executed exactly as it is specified in your test assets. The servers recorded without encryption will play back without encryption. Any unencrypted web traffic specified in your test assets is susceptible to data theft. After the run completes, the test results are downloaded locally. No versions of the results and test assets are stored on any system in the cloud. All the VMs are deprovisioned/deleted.

Best practices

  • Do not use production or sensitive data, including names and passwords.
  • Ensure that your test only uses HTTPS/SSL secure connections.
  • Protect data by encrypting it using encrypted datapools.