Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed Latif

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKCLSEPR.RVW 20091113 Cloud Security and Privacy , Tim Mather/Subra Kumaraswamy/Shahed Latif, 2009, 978-0-596-802769, U$34.99/C$43.99 %A Tim Mather %A
    Message 1 of 1 , Jul 3, 2010
      BKCLSEPR.RVW 20091113

      "Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed
      Latif, 2009, 978-0-596-802769, U$34.99/C$43.99
      %A Tim Mather
      %A Subra Kumaraswamy
      %A Shahed Latif
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2009
      %G 978-0-596-802769 0-596-802765
      %I O'Reilly & Associates, Inc.
      %O U$34.99/C$43.99 800-998-9938 707-829-0515 nuts@...
      %O http://www.amazon.com/exec/obidos/ASIN/0596802765/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0596802765/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 312 p.
      %T "Cloud Security and Privacy"

      The preface tells how the authors met, and that they were interested
      in writing a book on clouds and security. It provides no definition
      of cloud computing. (It also emphasizes an interest in being "first
      to market" with a work on this topic.)

      Chapter one is supposed to be an introduction. It is very brief, and,
      yet again, doesn't say what a cloud is. (The authors aren't very
      careful about building background information: the acronym SPI is
      widely used and important to the book, but is used before it is
      defined. It stands for Saas/Paas/Iaas, or software-as-a-service,
      platform-as-a-service, and infrastructure-as-a-service. More simply,
      this refers to applications, management/development utilities, and
      storage.) A delineation of cloud computing is finally given in
      chapter two, stating that it is characterized by multitenancy,
      scalability, elasticity, pay-as-you-go options, and self-provisioning.
      (As these aspects are expanded, it becomes clear that the scalability,
      elasticity, and self-provisioning characteristics the authors describe
      are essentially the same thing: the ability of the user or client to
      manage the increase or decrease in services used.) The fact that the
      authors do not define the term "cloud" becomes important as the guide
      starts to examine security considerations. Interoperability is listed
      as a benefit of the cloud, whereas one of the risks is identified as
      vendor lock-in: these two factors are inherently mutually exclusive.

      Chapter three talks about infrastructure security, but the advice
      seems to reduce to a recommendation to review the security of the
      individual components, including Saas, Paas, and network elements,
      which seems to ignore the emergent risks arising from any complex
      environment. Encryption is said to be only a small part of data
      security in storage, as addressed in chapter four, but most of the
      material discusses encryption. The deliberation on cryptography is
      superficial: the authors have managed to include the very recent
      research on homomorphic encryption, and note that the field will
      advance rapidly, but do not mention that homomorphic encryption is
      only useful for a very specific subset of data representations. The
      identity management problem is outlined in chapter five, and protocols
      for managing new systems are reviewed, but the issue of integrating
      these protocols with existing systems is not. "Security management in
      the Cloud," as examined in chapter six, is a melange of general
      security management and operations management, with responsibility
      flipping back and forth between the customer and the provider.
      Chapter seven provides a very good overview of privacy, but with
      almost no relation to the cloud as such. Audit and compliance
      standards are described in chapter eight: only one is directed at the
      cloud. Various cloud service providers (CSP) are listed in chapter
      nine. The terse description of security-as-a-service (confusingly
      also listed as Saas), in chapter ten, is almost entirely restricted to
      spam and Web filtering. The impact of the use of cloud technology is
      dealt with in chapter eleven. It lists the pros and cons, but again,
      some of the points are presented without noting that they are mutually
      exclusive. Chapter twelve finishes off the book with a precis of the
      foregoing chapters.

      The authors do raise a wide variety of the security problems and
      concerns related to cloud computing. However, since these are the
      same issues that need to be examined in any information security
      scenario it is hard to say that any cloud-specific topics are
      addressed. Stripped of excessive verbiage, the advice seems to reduce
      to a) know what you want, b) don't make assumptions about what the
      provider provides, and c) audit the provider.

      copyright Robert M. Slade, 2009 BKCLSEPR.RVW 20091113

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Murder is a crime. Describing murder is not. Sex is not a crime.
      Describing sex is. - Gershon Legman (b. 1917) American writer
      victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
      http://www.infosecbc.org/links http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.