The authors of Cloud Security and Privacy recommend this book for technically savvy business persons who are thinking about using cloud computing and are interested in protecting their information and are wondering about any security concerns. This is probably the perfect audience for this book, as well as it can be used by business persons who not as technically astute but who are interested in how cloud computing could be used by their business and what issues there may be with it. They can get an idea of the questions they should be asking (which of course technical people are going to love…..). It also is a book that can be used as a reference, even for technical persons, parts of it include best practices on securing virtual servers. If not familiar with that, this book can be a good reference, won’t give the entire how to’s but can introduce many of the security areas.
Since the “cloud” is a moving target, probably parts of this book can be considered out of date already since it was published in September of 2009, however, if you want to know what the cloud is, how the “industry” defines the evolution to the cloud and to learn how or if your company could benefit from it in a realistic manner, this is the book for you. If you want to know what the cloud is just out of curiosity, this book is way too much for you.
Cloud computing puts more decisions in to the hands of business people, rather than IT, I am sure we have all heard that before (about earlier forms of Cloud computing – ASP’s, etc.), but a good example of where this has been true has been with the use of SaaS (Software as a Service – which is now considered to be a Cloud service). A wide range of companies; large to small, are already using cloud services such as Salesforce.com. As well, a large number of small and medium sized businesses are using Intuit’s online QuickBooks service, so more companies are already “in the cloud” than probably realize it. From this book these same people can learn more about the other types of cloud services which may be applicable to their business as well.
There are still a lot of definitions floating around about what is “the cloud”, and experts still do not agree so the book lays out what may be one of the commonly accepted definitions, or not, but at least it gives a basis for the rest of the book and the range of what will be discussed. What can be mostly agreed upon by experts with regard to cloud computing are the accepted attributes of the cloud which must be:
1. Multi-tenancy enables sharing of resources and costs across a large pool of users thus allowing for:
2. Massive scalability – has to allow for massive scale in both compute power, bandwidth, storage. Meaning the ability to scale to thousands and thousands of machines, the type of size that you need if you are an amazon or google and that you needed to build for yourselves, now making that available to others.
3. Elasticity – Users of the cloud must be able to rapidly increase the amount of resources that they need, and then release those resources for others to use when they no longer need them
4. Pay as you go – Traditionally for getting your app out you paid a set price, and often paid for more than you needed, or usually needed because you were building yourself or buying what you would need for peak times
5. Self-provisioning of resources – users can use what they want to use for storage, cpu power, network resources
Also important to define is the three types of Cloud Service Providers (CSP’s); IAAS (Infrastructure as a Service), SAAS (Software as a Service), and PAAS (Platform as a Service).
Chapters 3 and 4 discuss specific areas of security; infrastructure and data security and storage. There is a good breakdown for the different types of CSP delivery methods and the different types of security. The authors make it clear though that many of the security issues are not specifically caused by the cloud and they may or may not be exacerbated by cloud computing.
A great point of the book is that it emphasizes what the CSP is responsible for, and what the customer is responsible for and where it is still questionable who is responsible for what. This is emphasized throughout the book. So depending on the service, for example the SAAS model such as Salesforce.com or Google Apps, it explains what Salesforce.com is responsible for, and then what the customer is responsible for such as operational security (such as user and access management). It also goes in to detail as to what type of security review the customer should do of the vendor such as: requesting information about the provider’s security practices. This information should include their application security testing, release management, authentication and access control, etc. Although to date much has already been written about what type of review an enterprise should do of their SAAS providers practices. But the sections for the IAAS and PAAS providers will be interesting as well.
Good points in the Platform as a Service (PaaS) delivery model includes software vendors such as: bungee, Eucalyptus, CSP’s such asL Google App Engine, Salesforce.com’s Force.com, Microsoft Azure, etc. In the multitenant PAAS service delivery model, the main security issues are containment and isolation of multitenant applications from each other. Since applications are developed by the customer, the customer is responsible for application security.
One of my favorite chapters is Chapter 6 – Security management in the Cloud. After taking the reader through network, host, application, database, storage and web services which include identity services, this chapter steps though understanding the scope of IT system management and monitoring responsibilities that fall on the users shoulders including: access, change, configuration, patch and vulnerability management and those that are the responsibility of the CSP.
The authors have reviewed the disciplines for common security frameworks such as ITIL (Information Technology Infrastructure Library )and ISO frameworks and they have identified the relevant processes and the recommended security management focus areas for securing services in the cloud including availability management (ITIL), access control (ISO/IEC 27002, ITIL), etc. So those that are familiar with these processes will find that they know most of what is in this chapter, but if your organization does not yet use a security management framework they will understand the pros and cons of using one. But it is good that they took standard security frameworks and based on that same terminology pointed out which ones a CSP would have to think about, which ones a user of a CSP has to think about, etc.
The authors also have identified what security management processes which they feel are relevant to the cloud, the full list is available on pg 113. Table 1 is a good chart of the security management functions for each type of cloud deployment/SPI.
A good point that the authors make, that they feel is relevant to cloud computing is that organizations (people and processes) and information systems are constantly changing. Management frameworks such as ITIL will help with the continuous service improvements that are necessary to align and realign IT services to changing business needs. So for example this could mean that continuous service improvement means identifying and implementing improvements to the IT services that support business processes such as sales force automation using a cloud service provider. Security management is a constant process and will be very relevant to cloud security management.
Chapter 8 on Audit and Compliance also does a good job defining what the CSP is responsible for; good list for the users of CSP’s to understand. For example within Asset management, access control – data protection/segregation/encryption.
The author’s make it clear that audit and compliance are big issues when working with outsourcing vendors as it will be with cloud service providers. I would have like dot have seen a chart or something which would have shown: what a user needs to think about when using a cloud service provider and what you would not need to think about any more. i.e. is it a new issue that you have to think about because you are working with a CSP, or do you no longer have to think about it, or does the CSP have to think about it now? What would be avoided security issues, what would be the new ones, which ones are the same?
Ongoing this book can be a great reference for operations managers or business owners or managers wanting to know what research how the ‘cloud” can impact their company. Conclusions in a lot of books can be “weak”, this one is definitely not weak. It is an excellent summary of the security concerns that are applicable to cloud computing. One could read chapters 1 & 2, get an overview of cloud computing how it has evolved and then actually read the summary, get an overview of the issues and then read the appropriate chapter for the type of security concerns.
Cloud computing events are still hot and heavily attended. I was just at another on the 13th of April in Palo Alto, California, which included panel members from SAP, Citrix, T-Systems, and AT&T there was a lively discussion of what people are looking for with regard to cloud computing: on demand computing, as needed consumption of compute power. http://gaba-network.blogspot.com/2010/04/cloud-computing-2011.html. Models that they are seeing, dominate capacity in-house yet, elasticity is rented out (bursting in to the cloud as needed). If you are trying to use cloud services for disaster recovery, for example, or contingency purposes, there are still some issues such as getting a VERY large database server up immediately, transfer rates not there yet. Web servers can be up immediately, but a database server can be brought up only a day later when the data arrives by disk. Cloud Interoperability has claimed to be a major issue of cloud computing, since there is still no reason for the cloud service providers to work together. However, the guys on the panel claim it is not a problem. In reality I would have to agree with this, depending on what you are running in the cloud, and how it was architected you can technically move clouds. More of the issue, as with most business decisions, is how much effort will it take, as any move requires some effort, and how much will it cost.
Cloud Security and Privacy – An Enterprise Perspective on Risks and Compliance
By Tim Mather, Subra Kumaraswamy, and Shahed Latif
Copyright © 2009