BKCLSEPR.RVW 20091113 "Cloud Security and Privacy", Tim Mather/Subra Kumaraswamy/Shahed Latif, 2009, 978-0-596-802769, U$34.99/C$43.99 %A Tim Mather %A Subra Kumaraswamy %A Shahed Latif %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2009 %G 978-0-596-802769 0-596-802765 %I O'Reilly & Associates, Inc. %O U$34.99/C$43.99 800-998-9938 707-829-0515 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596802765/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596802765/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596802765/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 312 p. %T "Cloud Security and Privacy" The preface tells how the authors met, and that they were interested in writing a book on clouds and security. It provides no definition of cloud computing. (It also emphasizes an interest in being "first to market" with a work on this topic.) Chapter one is supposed to be an introduction. It is very brief, and, yet again, doesn't say what a cloud is. (The authors aren't very careful about building background information: the acronym SPI is widely used and important to the book, but is used before it is defined. It stands for Saas/Paas/Iaas, or software-as-a-service, platform-as-a-service, and infrastructure-as-a-service. More simply, this refers to applications, management/development utilities, and storage.) A delineation of cloud computing is finally given in chapter two, stating that it is characterized by multitenancy, scalability, elasticity, pay-as-you-go options, and self-provisioning. (As these aspects are expanded, it becomes clear that the scalability, elasticity, and self-provisioning characteristics the authors describe are essentially the same thing: the ability of the user or client to manage the increase or decrease in services used.) The fact that the authors do not define the term "cloud" becomes important as the guide starts to examine security considerations. Interoperability is listed as a benefit of the cloud, whereas one of the risks is identified as vendor lock-in: these two factors are inherently mutually exclusive. Chapter three talks about infrastructure security, but the advice seems to reduce to a recommendation to review the security of the individual components, including Saas, Paas, and network elements, which seems to ignore the emergent risks arising from any complex environment. Encryption is said to be only a small part of data security in storage, as addressed in chapter four, but most of the material discusses encryption. The deliberation on cryptography is superficial: the authors have managed to include the very recent research on homomorphic encryption, and note that the field will advance rapidly, but do not mention that homomorphic encryption is only useful for a very specific subset of data representations. The identity management problem is outlined in chapter five, and protocols for managing new systems are reviewed, but the issue of integrating these protocols with existing systems is not. "Security management in the Cloud," as examined in chapter six, is a melange of general security management and operations management, with responsibility flipping back and forth between the customer and the provider. Chapter seven provides a very good overview of privacy, but with almost no relation to the cloud as such. Audit and compliance standards are described in chapter eight: only one is directed at the cloud. Various cloud service providers (CSP) are listed in chapter nine. The terse description of security-as-a-service (confusingly also listed as Saas), in chapter ten, is almost entirely restricted to spam and Web filtering. The impact of the use of cloud technology is dealt with in chapter eleven. It lists the pros and cons, but again, some of the points are presented without noting that they are mutually exclusive. Chapter twelve finishes off the book with a precis of the foregoing chapters. The authors do raise a wide variety of the security problems and concerns related to cloud computing. However, since these are the same issues that need to be examined in any information security scenario it is hard to say that any cloud-specific topics are addressed. Stripped of excessive verbiage, the advice seems to reduce to a) know what you want, b) don't make assumptions about what the provider provides, and c) audit the provider. copyright Robert M. Slade, 2009 BKCLSEPR.RVW 20091113