Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance
by Tim Mather, Subra Kumaraswamy and Shahed Latif

O'Reilly 2009.
ISBN ISBN: 978-0-596-80275-9. Amazon.com USD 31.49

Reviewed by  Richard Austin   November 11, 2009 

Unless you've been living under the proverbial rock with no sort of network access, you will have heard some of the buzz regarding cloud computing. Whether it's solving the problem of a greener data center, improved flexibility in the face of wildly varying workloads or just the classic conundrum of being tasked with doing more with less, cloud computing is being touted as the latest answer to all of IT's ills.

However, amidst the hype, there is an increasing chorus of voices asking the unpleasant questions about security, compliance and risk management. Some cloud aficionados see those concerns as sort of an evolutionary appendix held over from the previous generations of IT solutions but as this book so amply illustrates, many of the old problems survive the translation into the cloud relatively unscathed.

The authors are an interesting selection - a former CISO, a security access lead for a major vendor and an audit professional. They present a realistic and well-rounded perspective on the challenges of getting cloud computing right.

The book is organized into 12 chapters and three appendices. The first chapter provides a history of how cloud computing has evolved and sets the stage for the definitions that follow in chapter 2. The definitions for the delivery models (SaaS, PaaS and IaaS)* and the deployment models (private, public and hybrid) establish a firm basis for the discussion to follow as well as giving a firm basis to the rather over-hyped definitions that litter the trade press.

Chapters 3 through eight each consider an important security domain(infrastructure, data and storage, identity and access management, etc) in the context of cloud computing and provide solid guidance on what changes (sometimes significantly) and, just as importantly, what remains the same. Each chapter opens with an overview of the domain to establish just exactly which piece of the security puzzle they intend to tackle and then considers that domain in the context of each of the delivery and deployment models. The authors are not shy and do not hesitate to identify where the cloud model has shortcomings in its current state. For example, in Chapter 6, "Data and Storage Security", after careful consideration, they advise that "Currently, the only viable option for mitigation is to ensure that any sensitive or regulated data is not put into a public cloud".

Chapter 9, "Examples of Cloud Service Providers", gives an overview of the types of cloud services that are currently available (either for purchase or in beta). Chapter 10, "Security-As-a-[Cloud]Service" considers what security-relevant services (ranging from anti-malware to content filtering and vulnerability management) might be migrated into the cloud paradigm. The next chapter, "The Impact of Cloud Computing on the Role of Corporate IT" is a welcome look at just what effect cloud computing might have on the IT organization itself (whether in budget, responsibility or compliance). The final chapter provides an overall summary and looks to the future of cloud computing while identifying areas where the cloud paradigm will need to mature before it can fully realize its potential. The three appendices are really offered out of order. It would be better to read appendix C, "Open Security Architecture for Cloud Computing" to see why audit is such an important requirement for establishing trust in a cloud environment before looking at the example SAS-70 (appendix A) and SysTrust (appendix B) audit reports.

This is a welcome book that takes a balanced look at the security and privacy issues in cloud computing. The authors have no visible axe to grind and focus their attention on WHERE cloud services should best be used and HOW they may be used wisely rather than the polemics for or against cloud computing in general. The authors are careful to provide definitions and develop concepts as they go along so the book can be profitably read by those with little previous knowledge or exposure to cloud concepts. Definitely a "must read" on a technology that will likely be appearing in an organization near you, soon.

* SaaS = Software as a Service
     PaaS = Platform as a Service
     IaaS = Infrastructure as a Service
Before beginning life as an itinerant university instructor and security consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu