Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

Tim Mather, Subra Kumaraswamy, Shahed Latif

Published by





Reviewed by

Jude Umeh, FBCS, CITP


9 out of 10

Cloud Security and PrivacyThe concepts of cloud, security and privacy are not obvious bed-fellows and, as this is a key concern for both individuals and corporate users, it was only a matter of time before some books were published on the topic; and this book may well turn out to be one of the better ones, in my opinion.

First of all, the comprehensive depth of coverage provided by the authors makes this book a ready reference resource for those individuals or organisations that are serious about understanding security and the cloud.

It starts out with a contextual overview of the cloud, and its position in the evolutionary timeline of the information age, which is then followed by an explanation of the SPI (i.e. software, platform and infrastructure) framework for cloud computing services, which neatly translates into the SaaS, PaaS and IaaS propositions offered by the likes of, Amazon and Google.

Based on this foundation, the book then goes on to explore how and why security, privacy and the ability to cater for audit and compliance requirements are such hot topics, especially as they are also key barriers to adoption of cloud services in the enterprise.     

The other interesting and useful aspect of this book is how the authors approach such thorny issues as identity and access management (IAM), privacy, security responsibilities (i.e. the customer versus the cloud service provider or CSP), cloud service interoperability and standards, as well as the many actual and potential conflicts with regulatory compliance and jurisdictional constraints.

They typically begin with a 360 degree overview of the topic, for example there is a whole chapter on IAM, followed by a discussion on its relevance and application to cloud services as well as key implications for both the customer and their CSP. This makes it a complete package to aid better understanding of cloud-related issues and the benefits, pitfalls and best course of actions for the enterprise customer.

Furthermore, this book does a great job of discussing the various security standards, privacy and legal regulations, and their implications (e.g. SOX, HIPAA, GLBA, the US Patriot Act and EU Directives). There is also a chapter dedicated to audit and compliance requirements and controls (including example content in the Appendix).

Finally, the authors provide much needed guidance on what to look for (and what to expect) from the typical CSP, and they also provide a listing of example CSPs and their service offerings. This level of coverage creates an almost encyclopedic view of the titular topics of cloud security and privacy.

Perhaps, as a result, the few downsides are that it is not a straight-forward read, from start to finish, as those readers unfamiliar with the whole enterprise security domain may well have to refer back constantly to earlier sections in the book. Also the wide coverage means that it is not necessarily detailed enough for implementation decisions, without further information, but then it does a great job of providing appropriate sources of reference for these anyway.

In conclusion, this is a great source of information on a very hot topic du-jour, and the combined experience and expertise of the authors does a lot to bring credibility and added value to this work. It is highly recommended for those that are either currently using, or considering, cloud services for their enterprise in the immediate or very near future.

Further Information: O'Reilly

January 2010