REVIEW: "Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed Latif

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKCLSEPR.RVW   20091113

"Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed
Latif, 2009, 978-0-596-802769, U$34.99/C$43.99
%A   Tim Mather
%A   Subra Kumaraswamy
%A   Shahed Latif
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-802769 0-596-802765
%I   O'Reilly & Associates, Inc.
%O   U$34.99/C$43.99 800-998-9938 707-829-0515
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   312 p.
%T   "Cloud Security and Privacy"

The preface tells how the authors met, and that they were interested
in writing a book on clouds and security.  It provides no definition
of cloud computing.  (It also emphasizes an interest in being "first
to market" with a work on this topic.)

Chapter one is supposed to be an introduction.  It is very brief, and,
yet again, doesn't say what a cloud is.  (The authors aren't very
careful about building background information: the acronym SPI is
widely used and important to the book, but is used before it is
defined.  It stands for Saas/Paas/Iaas, or software-as-a-service,
platform-as-a-service, and infrastructure-as-a-service.  More simply,
this refers to applications, management/development utilities, and
storage.)  A delineation of cloud computing is finally given in
chapter two, stating that it is characterized by multitenancy,
scalability, elasticity, pay-as-you-go options, and self-provisioning.
(As these aspects are expanded, it becomes clear that the scalability,
elasticity, and self-provisioning characteristics the authors describe
are essentially the same thing: the ability of the user or client to
manage the increase or decrease in services used.)  The fact that the
authors do not define the term "cloud" becomes important as the guide
starts to examine security considerations.  Interoperability is listed
as a benefit of the cloud, whereas one of the risks is identified as
vendor lock-in: these two factors are inherently mutually exclusive.

Chapter three talks about infrastructure security, but the advice
seems to reduce to a recommendation to review the security of the
individual components, including Saas, Paas, and network elements,
which seems to ignore the emergent risks arising from any complex
environment.  Encryption is said to be only a small part of data
security in storage, as addressed in chapter four, but most of the
material discusses encryption.  The deliberation on cryptography is
superficial: the authors have managed to include the very recent
research on homomorphic encryption, and note that the field will
advance rapidly, but do not mention that homomorphic encryption is
only useful for a very specific subset of data representations.  The
identity management problem is outlined in chapter five, and protocols
for managing new systems are reviewed, but the issue of integrating
these protocols with existing systems is not.  "Security management in
the Cloud," as examined in chapter six, is a melange of general
security management and operations management, with responsibility
flipping back and forth between the customer and the provider.
Chapter seven provides a very good overview of privacy, but with
almost no relation to the cloud as such.  Audit and compliance
standards are described in chapter eight: only one is directed at the
cloud.  Various cloud service providers (CSP) are listed in chapter
nine.  The terse description of security-as-a-service (confusingly
also listed as Saas), in chapter ten, is almost entirely restricted to
spam and Web filtering.  The impact of the use of cloud technology is
dealt with in chapter eleven.  It lists the pros and cons, but again,
some of the points are presented without noting that they are mutually
exclusive.  Chapter twelve finishes off the book with a precis of the
foregoing chapters.

The authors do raise a wide variety of the security problems and
concerns related to cloud computing.  However, since these are the
same issues that need to be examined in any information security
scenario it is hard to say that any cloud-specific topics are
addressed.  Stripped of excessive verbiage, the advice seems to reduce
to a) know what you want, b) don't make assumptions about what the
provider provides, and c) audit the provider.

copyright Robert M. Slade, 2009    BKCLSEPR.RVW   20091113

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline