Customer Reviews

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance (Theory in Practice)

5 star:		(9)
4 star:		(2)
3 star:		(2)
2 star:		(0)
1 star:		(0)

 

 

I want to be fair here. I bought this book not to read hype on what looks like an emerging technology, albeit massively overhyped but, rather, to read about legal and business issues that might moderate its acceptance. To be fair, I will return to give my appraisal after I have finished but I was forced to share this so as to, perhaps, give pause to others interested in buying this book. I've seen webinars that refer to cloud computing as 2-10 technology, massively hyped for 2 years and will take the next 10 for the industry to sort out where it fits (and maybe more importantly where it does not.

The first two glaring take-aways I've seen in this book is 1) the mashing of social web to cloud computing, vis-a-vis considering MySpace, FaceBook, and other social web sites as examples of cloud computing, they are not; 2) the notion that end users will be writing their own programs in the clouds vs. the, since the dawn of software development, programmer (or more recently developers) writing the programs, tech writers writing the documentation, marketeers hyping the program and end users buying or using, with embedded ads, the software. Both of these are orthogonal to 'cloud computing'. While it may be someday, in a "Battlestar Gallactica" age end users may speak to their computer in whatever language they speak and tell it what they'd like it to do. For now it takes specialized training and while the computer languages used are different syntactically from those used in the '60s and '70s, fundamentally they are not different at all. Of course someday maybe everyone will be flying their cars to work and to play. On your next flight anywhere, tap the pilot and ask him how much specialized training he's had in order to taxi a plane, much less leave the ground and return it in one piece to where ever they said they would land it.

The authors talk about computing being a utility as electricity providers (or cable providers) yet they also talk about global compute clouds. Are there global utility companies? They talk about replacing NetBeans, Eclipse, Microsoft Visual Studio (IDEs) with some Utopian ephemeral global software development environment where the tools and end products exist virtually in some ether. None of that has to do with IT Governance and Security much less Amazon, Terramark, Eucalyptus, RightScale, or CloudSwitch. Where they have another 10-11 chapters I withhold final judgment but I felt I owed it to others innocently looking for a good source of information, not hand-waving on this subject. Just as with any emerging technology or software development language there are plenty of people that emerge from the woodwork to write a book on it, totally independent of their experience with it. Confusing Cloud Computing and Web 2.0 is not going to garner confidence. If unwary readers do not discover this until after they have purchased the book, it will not make any difference.

As a professional software developer I can tell you provisioning an image for execution in the cloud is more intensive than provisioning a bare metal server. End users are not going to be doing anything more than issuing a run command on a pre-existing image.

Here is my take: Running your business at an undisclosed facility managed by Amazon (or others) is no more cost effective than running your business out of a service center was in the 70's or 80's. If you don't physically control the data, you don't physically control access to it either. Nowadays you are under legal obligation to do so. I spent the money on this book hoping there was more substance to the security, privacy, and governance aspects of cloud computing than I just summarized.

Since one of the authors has decided to launch personal attacks on me, I will continue with my review with Chapter 3. I didn't really pick up on this in chapters 1 and 2 but I am now concerned about who edited this book. Even at the high school level children are taught to never ever cite Wikipedia for their references. I noticed the bulk of the footnotes cited are wikipedia. Since the source of information found on Wikipedia is unknown, its validity is also unknown. The professional standard for citations are peer reviewed sources. By using these there is a level of confidence a claim made, by virtue of it's citation is likely of high quality.

An assertion, I believe, made several times, and characterized on pg 52, "The new mantra of 'the browser is your operating system...browsers have become the ubiquitous operating systems for consuming cloud services". I would call to the reader's attention in any legitimate Computer Science source the definition of an operating system. Internet Explorer is not an example of an operating system. Furthermore, services, clouded or not, where the Internet browser is the user interface (UI or GUI in this case), are but one type of solution space, often characterized as LAMP or Linux, Apache, MySQL, and PHP. This is totally independent of cloud anything. I contend whenever one writes a book (or publishes one) there are two axises of importance, the first being is the material relevant to the topic and is the material factually accurate. While one might chose to host multiple web containers in the 'cloud' to take advantage of the elasticity of the cloud for scaling up and down with volume, another pervasive class of problem that takes place in a cloud-like environment is compute scaling, such as can be seen in grid computing. In this space a problem may arise where 100 or 1000 processors are required to solve a compute intensive problem but only for a few hours. This, as opposed to 24x7x365, is an excellent usage of public cloud (burst mode). To the extent the author is, thus far, focusing on web based interaction with the cloud he calls out but never elaborates on why there is any more vulnerability for a web container hosted at an Amazon secure facility, for instance, than there is within one's own perimeter. The threat vector is port 80 or port 8080. Of course, if there really is one, the obvious solution is to use off port, two phase SSL, where both the client side and server side are digitally authenticated and encrypted and host the open (proxy) website(s) within your perimeter. In either case the DoS attack on port 80 or 8080 is independent of the location of the web container. Isn't that correct Tim?

In chapter 3, pg 52, "Using hijacked or exploited cloud accounts, hackers will be able to link together computing resources to achieve massive amounts of computing without any of the capital infrastructure costs". Really? what about the account owner seeing running instances on their accounts they aren't using? How long does it take for a credit card owner or provider to realize an account is being misused? There is an easier vector for this, they are called bots and have been around for years. One need but Google the program Asphyxia. If you, for any decision, had a choice of hard vs. easy...which do you think a hacker would take?
In chapter 3, the author discusses type 1 and type 2 hypervisors. This is something of an arcane distinction but he refers to Xen as type 1, bare metal. This actually is incorrect as Xen is hosted by an operating system meaning it is not bare metal [...]. The authors spend much time on Xen, which is relevant from the perspective of security attacks against it but in that vein not a single mentioned, that I have found, is made of KVM which is part and parcel of all remotely recent versions of Linux from, I believe 2.6.20 and up. Ubuntu Enterprise Cloud is based on KVM, as is RedHat's virtualization and cloud family. But, this is why they make second editions.

Another assertion the authors make in chapter 3 (pg 59), "Security requirements such as an application firewall, SSL accelerator, cryptography, or rights management... are not supported in a public SaaS, PaaS, or IaaS cloud". Huh???? I refer the reader to Amazon's VPC, Intel's Service Gateway, SELinux, UFW. That is simply a patently false statement. Of course you can host your applications on an instance of an image configured with SELinux in enforce mode, fully firewalled, with no open connections on unsecured ports, and be quite secure. However, if this book was written in 2008 only to be published in early 2009 this may have been a more true statement then. However few people knew what cloud was in early 2009 and the entire field has rapidly evolved since the authors wrote this book. This is why it is necessary for authors, and publishers, to maintain an errata site, perhaps in the cloud, where corrections and retractions to, best case dated, worst case patently false, statements can be made. Intel, by the way, is also producing encrypting NICs (network interface cards).

While I still subscribe to my previous comment about if you don't control your data you don't control who has access to it, I do have an addendum to it. Cloud computing is a rapidly evolving field. A book, written by anyone, 2 years or more ago on cloud computing is, almost by definition, wrong or highly questionable. Technology simply moves faster than publishers generally do. If you have data that you don't want to or, legally, can not share it, in all likelihood, does not belong in a public cloud. If you are risk averse, it does not. If you are risk tolerant then the decision should be dependent on talking to vendors, cloud and operating system (no, not web browsers). What are the cloud vendor's SLA, what is the insurance on data breaches, what is the state of the art vis-a-vis SELinux, encrypting NICs, encrypted databases, the cloud vendor's physical security, software security, etc. Who had physical access to software keys?

We are a long way from the George Jettson world. In our lifetime people won't be flying their cars to work. Provisioning of data centers, provisioning of infrastructure still, as in the case of airline pilots, should be left to trained and technically current professionals who's livelihoods depend on their ability to successfully navigate the issues. If you are somewhat risk tolerant talk to the vendors, they have no problems telling you what their competition can't do, and make your decisions based on the, then, current state of the art. Don't single source anything, seek confirmations on everything.

As I hope we are all telling our children and students, whatever they place on the Internet will be there forever.

Chapter 4 starts to get interesting although I disagree with some of the author's contentions, perhaps due to the temporal decay. In other words, in the non-SaaS world storing information as opaque encrypted blobs is certainly do-able and would be the responsibility of the system designer to, perhaps optionally, persist the data as such and, upon authenticated readers, decrypt it. Consistent with what I've said earlier, if you don't control your data, you don't control who has access to it. What the author contents is that SaaS providers, let's use SalesForce as an example, should do the same with 'your data'. If you don't control the encryption keys used, you can't even control your own access to the data. This is actually part of the value proposition of CloudSwitch. Disclaimer, I have no affiliation with CloudSwitch. I do not even know if they were even a gleam in their founder's eyes when this book was written, so their niche would be clearly out of scope for the authors (temporal decay). However, in today's state of the art, protection zones, if you will, provisioned by SELinux and afforded by KVM provide for security when data, stored externally, in read by your program and decrypted within the protected zone of the process you are running in. One merely needs to Google SELinux to see what it provides for today vs. what it provided for 2-3 years ago.

Chapter 5 is good (happy now Tim?). Technically it is very rich and philosophically, unintentionally, provides good food for thought. Something I flagged at the beginning of this review gnawed at me and chapter 5 (Authentication, Authorization, and Auditing) provided closure on this. I mentioned there seem to be an underlying premise that the 'cloud' should or will evolve into a global entity, pg 33, "For cloud computing to continually evolve into a borderless and global tool..." Why should it? I vaguely recall an episode, I believe, from Star Trek, where there was some impending catastrophe in progress when Spock commanded, as a high priority task, the computer system to solve, to the last digit, the value of pi. Spock then reminds the captain pi is an endless number the computer(s) can not solve. Uhura shortly announces to Spock and the captain that, one by one, all computer resources (cloud compute nodes) were being deployed to solve the command Spock gave it. Is that part of the problem space for cloud computing to solve? Frankly we sort of already have that in the academic world, Google condor grid and University of Wisconsin. Oddly, I proposed the same sort of thing to a friend and VP at a large software company wherein corporate data centers would now have the prospect of 'selling' their unused cpu and disk capacity by merely joining a cloud as a resource provider rather than a resource consumer. To that end the authors are now on a solid path to addressing or, at least, articulating a direction CSPs could take or must take in order to realize that goal of a 'borderless and global tool'. Where this chapter is equally valid is the use case of you (the reader now) is on a trip to some other part of the country and are in an accident. You are brought to the local hospital and the attending doctor must gain access to your medical records. In a HIPAA world what needs to happen, architecturally, for that doctor to ensure your medical privacy, maintain auditability, and gain timely access to your medical history, oh, your own doctor is out of town.

Note to authors, I also upped your score. I anxiously await the next 100 pages and your second edition.

It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim's take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured...).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following "just the facts" model sometimes might lead the reader towards losing interest, no matter how important the subject is - and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.

My title is no accident, I heard Marry Ann Davidson CSO of Oracle, use it in an RSA conference referring to cloud computing she also spoke about it in ISF Canada 2009. Where the whole subject has been elevated to theological warfare.

To sort the whole subject out and become familiar with the evolution of cloud computing I searched for a book on the subject and found many. To be fair to the rest of the books out there, I only read one of them, yes you guessed it, Cloud Security and Privacy. Being a security person myself the title had the 2 operative words I needed to see Security and Privacy (and yes, I am shallow).

Oh! yes about the book, this is by far the best book I have read for a long time, what impressed me is the way it is written, there are questions in nearly every chapter, as you read the question you realize that you were thinking that exact question, or you would have if you knew what to think. For example "what is cloud computing?" Ok I know that's given but stay with me; now here are some of the rest of the questions, "What Is Privacy?" I think that is one hell of a question and the answers given by the author are not ground breaking, however "What Is the Data Life Cycle?" "What Are the Key Privacy Concerns in the Cloud? ", "Who Is Responsible for Protecting Privacy?" put all these questions and more together and properly answer them all, you end up with a near masterpiece.

By the end of Chapter 3 you are not only familiar with cloud computing but you are now able to speak IAAS, PAAS, SAAS and actually understand the infrastructure security as it relates to IAAS.

I specially liked Chapter 6. Security management in the cloud, a very well written chapter about security management as it relates to the cloud computing, both ITIL and ISO27001 controls are mapped to the cloud.

Chapter Seven which deals with Privacy is one of the most important chapters, Privacy may be the single most important factor in deciding whether one chooses to use the cloud computing or not. The author includes a very reach sampling of many of the laws related to Privacy acts throughout the glob and yet in the beginning of the chapter you'll find the following dilemma " but although it may be possible to transfer liability via contractual agreements, it is never possible to transfer accountability." -Cloud Security and Privacy. I may argue that this chapter should have been the second chapter of the book.

In conclusion:
I could write a book about this book, but that would not be fair to you (as you may have noticed, I do not have the talent). Simply buy the book and read it yourself, it is not that expensive and it certainly looks more intelligent than those other books you have about Hacking something or other.

Best Fishes and thank you for reading.
Vik

The biggest trend (and some would say hype) in computing today is the cloud... the ability to have software and infrastructure all housed offsite in a flexible way that allows you to instantly scale resources and only pay for what you use. But there are so many questions that this approach raises in terms of security and privacy. Tim Mather, Subra Kumaraswamy, and Shahed Latif take on those questions in their new book Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. Before you decide to put anything "in the cloud" for your organization, you really should read this book in order to fully understand the risks and rewards of moving in that direction.

Contents:
Introduction; What Is Cloud Computing?; Infrastructure Security; Data Security and Storage; Identity and Access Management; Security Management in The Cloud; Privacy; Audit and Compliance; Examples of Cloud Service Providers; Security-As-A-[Cloud] Service; The Impact of Cloud Computing on The Role of Corporate IT; Conclusion, and The Future of The Cloud; SAS 70 Report Content Example; Systrust Report Content Example; Open Security Architecture For Cloud Computing; Glossary; Index

There's no doubt that moving to the cloud has the potential for saving an organization significant amounts of money. But what good is saving money if you end up with major security/privacy breaches, or if your application is unreachable due to outages? The authors do an excellent job in explaining exactly what makes up a cloud solution, as well as what considerations come into play when you decide to give up control of part of your infrastructure to someone else. As they accurately point out, there are many cloud risks that are also present in on-premise computing solutions, such as redundancy, security, etc. It just so happens that the cloud tends to magnify those risks because you aren't physically able to say exactly where your data is and what the cloud environment looks like. Going through this book helps you understand those risk levels so that you can decide how best to address them *before* you ship your data off to who knows where.

I think I personally appreciated the fact that they didn't attempt to "sell" the cloud as a solution that fits everybody and every situation. There are some instances where a cloud solution may not work due to regulatory reasons, and they point those out. For instance, HIPAA regulations have some very stringent rules on data security and privacy on personal health information. Given that your data stored in the cloud is not physically under your control, you may well find that you would be in violation of HIPAA regs by using a cloud solution without stringent safeguards. You also have no control over the physical medium on which the data is stored. If your cloud provider were to replace a drive in their storage, can you be assured that they have properly wiped the contents so as to not reveal information should the faulty device not be disposed of securely? And how about their backup media... how and where is your data being backed up? *IS* it being backed up? These are the questions you need to be asking before you decide that $5 per person per month is a great deal.

There are no other books that I know of that attempt to deal with this subject as completely and as comprehensively as does Cloud Security and Privacy. You really do owe it to your organization to read this first in order to be able to ask the right questions. Anything less would be highly negligent on your part.

Disclosure:
Obtained From: Publisher
Payment: Free

Cloud computing is such a hot topic in today's IT world. The business reasons for adopting cloud computing to run SMB and enterprise IT operations is so strong that it is almost inevitable that we will see a movement toward more and more cloud services being offered. Perhaps a dark cloud that hangs over cloud computing is the question of security (and privacy). The authors of "Cloud Security and Privacy" have done an excellend job of describing today's landscape and the security issues swirling around cloud computing. They provide a good mix of perspectives from IT InfoSec to auditor to cloud provider. They provide a clear and organized view of the security challenges. I would recoomend this book for anyone who is thinking about using or providing cloud services.

This is an excellent explanation of security issues touching cloud computing. It tries to help security professionals understand why cloud computing is experiencing such rampant adoption, explains what security concerns are new or not really new in the space, and goes into a lot of good practical depth on what things you need to do to secure various kinds of cloud offerings. I thought the IAM chapter in particular was excellent. And they didn't just talk theory; they demonstrate an understanding of how Amazon, Azure, and the other major cloud players work.

For organizations that are planning going to the cloud, security is usually a top concern. This book has a comprehensive coverage on security--infrastructure security, data and storage security, identity and management. What I liked the most in this book is its coverage on Federated Identity and regulatory compliance. This book can a good resource for people who are planning on cloud computing solutions.

"Cloud Computing" has been the buzz word for a while now and fortune
1000 companies are drawn to this new trend. The technology is being
adopted by customers without fully understanding the pros and cons of
Cloud Computing, similar to the early days of Virtualization. This
book addresses the pros and cons of Cloud Computing to help IT (who is
responsible for service delivery to their business customers)
understand the risks and advantages of utilizing Cloud services.

Virtualization administrators, security administrators, CIOs,
practically everyone responsible for service delivery can benefit from
this book. This book introduces the concept, digs deeper into the
deployment models, threats, vulnerabilities, talks about compliance
challenges in cloud, and compares various services that leverage cloud
to deliver security-as-a-service.

This book is great read to keep up with this emerging trend and to arm
yourself with technical and business knowledge to make informed
decisions, specially if you are part of the team deciding to go the
cloud for your computing needs.

Thanks
Sudhakar

If we learn nothing else from the recent (10/2009) Microsoft/Danger Sidekick data loss and recovery debacle, it should be that with great promise comes great responsibility. While that particular incident post-dated the publication of the book, what the authors accomplish in "Cloud Security & Privacy" is just such a prescient view of the current state of cloud computing. The promises of the cloud vendors must be tempered with a clearer understanding of exactly what we are abdicating responsibility for, for at times privacy, security, and portability are at stake.

I'll be honest, when I first picked up the book, I thought the entire subject too new to warrant book treatment. However, the authors' careful and thorough approach to the build-up to cloud computing presents a convincing case that it has been more a steady evolution than overnight revolution (despite what Benioff might claim). Their inclusion of homomorphic encryption, though brief, shows they are also current, and their frequent citations of reference URLs make for multi-layered and modern self-discovery. So, trends of our current microblogging, texting, instant messaging, email is too slow culture aside, serious topics still deserve serious thought and nothing yet can beat a book for such coverage. In this light, this tome's timely treatment of the subject should be considered required reading for those in the industry, and recommended reading for those with inquisitive minds who store their data in the cloud (not always knowingly).


Some additional, somewhat random comments:
* in a very matter-of-fact, yet approachable and intriguing way, the authors' outline not only the impacts of cloud computing on IT, but expand it into larger society and international government considerations;
* leave it to security experts to hold us accountable for the promises cloud computing provides while grounding it in sound fundamentals and the implications of not building security in;
* if i may inject my own observation here (which seems fair, it is my review after all): despite the wide reach of Java, there have been amazingly few known exploits because the security model was designed in early on and is relatively unobtrusive...let's hope cloud architects follow a similar route.

All in all, a valuable, informative, and timely book that guides with logic and data tempered by experience...well worth your time and hard-earned money. Thank you Tim, Subra, and Shahed!

The authors of Cloud Security and Privacy recommend this book for technically savvy business persons who are thinking about using cloud computing and are interested in protecting their information and are wondering about any security concerns. This is probably the perfect audience for this book, as well as it can be used by business persons who not as technically astute but who are interested in how cloud computing could be used by their business and what issues there may be with it. They can get an idea of the questions they should be asking (which of course technical people are going to love.....). It also is a book that can be used as a reference, even for technical persons, parts of it include best practices on securing virtual servers. If not familiar with that, this book can be a good reference, won't give the entire how to's but can introduce many of the security areas.

Since the "cloud" is a moving target, probably parts of this book can be considered out of date already since it was published in September of 2009, however, if you want to know what the cloud is, how the "industry" defines the evolution to the cloud and to learn how or if your company could benefit from it in a realistic manner, this is the book for you. If you want to know what the cloud is just out of curiosity, this book is way too much for you.

Cloud computing puts more decisions in to the hands of business people, rather than IT, I am sure we have all heard that before (about earlier forms of Cloud computing - ASP's, etc.), but a good example of where this has been true has been with the use of SaaS (Software as a Service - which is now considered to be a Cloud service). A wide range of companies; large to small, are already using cloud services such as [...]. As well, a large number of small and medium sized businesses are using Intuit's online QuickBooks service, so more companies are already "in the cloud" than probably realize it. From this book these same people can learn more about the other types of cloud services which may be applicable to their business as well.

There are still a lot of definitions floating around about what is "the cloud", and experts still do not agree so the book lays out what may be one of the commonly accepted definitions, or not, but at least it gives a basis for the rest of the book and the range of what will be discussed. What can be mostly agreed upon by experts with regard to cloud computing are the accepted attributes of the cloud which must be:

1. Multi-tenancy enables sharing of resources and costs across a large pool of users thus allowing for:
2. Massive scalability - has to allow for massive scale in both compute power, bandwidth, storage. Meaning the ability to scale to thousands and thousands of machines, the type of size that you need if you are an amazon or google and that you needed to build for yourselves, now making that available to others.
3. Elasticity - Users of the cloud must be able to rapidly increase the amount of resources that they need, and then release those resources for others to use when they no longer need them
4. Pay as you go - Traditionally for getting your app out you paid a set price, and often paid for more than you needed, or usually needed because you were building yourself or buying what you would need for peak times
5. Self-provisioning of resources - users can use what they want to use for storage, cpu power, network resources

Also important to define was the three types of Cloud Service Providers (CSP's); IAAS (Infrastructure as a Service), SAAS (Software as a Service), and PAAS (Platform as a Service).

Chapters 3 and 4 discuss specific areas of security; infrastructure and data security and storage. There is a good breakdown for the different types of CSP delivery methods and the different types of security. The authors make it clear though that many of the security issues are not specifically caused by the cloud and they may or may not be exacerbated by cloud computing.

A great point of the book is that it emphasizes what the CSP is responsible for, and what the customer is responsible for and where it is still questionable who is responsible for what. This is emphasized throughout the book. So depending on the service, for example the SAAS model such as [...] or Google Apps, it explains what [...] is responsible for, and then what the customer is responsible for such as operational security (such as user and access management). It also goes in to detail as to what type of security review the customer should do of the vendor such as: requesting information about the provider's security practices. This information should include their application security testing, release management, authentication and access control, etc. Although to date much has already been written about what type of review an enterprise should do of their SAAS providers practices. But the sections for the IAAS and PAAS providers will be interesting as well.

Good points in the Platform as a Service (PaaS) delivery model includes software vendors such as: bungee, Eucalyptus, CSP's such asL Google App Engine, [...], Microsoft Azure, etc. In the multitenant PAAS service delivery model, the main security issues are containment and isolation of multitenant applications from each other. Since applications are developed by the customer, the customer is responsible for application security.

One of my favorite chapters is Chapter 6 - Security management in the Cloud. After taking the reader through network, host, application, database, storage and web services which include identity services, this chapter steps though understanding the scope of IT system management and monitoring responsibilities that fall on the users shoulders including: access, change, configuration, patch and vulnerability management and those that are the responsibility of the CSP.

The authors have reviewed the disciplines for common security frameworks such as ITIL (Information Technology Infrastructure Library )and ISO frameworks and they have identified the relevant processes and the recommended security management focus areas for securing services in the cloud including availability management (ITIL), access control (ISO/IEC 27002, ITIL), etc. So those that are familiar with these processes will find that they know most of what is in this chapter, but if your organization does not yet use a security management framework they will understand the pros and cons of using one. But it is good that they took standard security frameworks and based on that same terminology pointed out which ones a CSP would have to think about, which ones a user of a CSP has to think about, etc.

The authors also have identified what security management processes which they feel are relevant to the cloud, the full list is available on pg 113. Table 1 is a good chart of the security management functions for each type of cloud deployment/SPI.

A good point that the authors make, that is relevant to cloud computing, is that organizations (people and processes) and information systems are constantly changing. Management frameworks such as ITIL will help with the continuous service improvements that are necessary to align and realign IT services to changing business needs. So for example this could mean that continuous service improvement means identifying and implementing improvements to the IT services that support business processes such as sales force automation using a cloud service provider. Security management is a constant process and will be very relevant to cloud security management.

Chapter 8 on Audit and Compliance also does a good job defining what the CSP is responsible for; good list for the users of CSP's to understand. For example within Asset management, access control - data protection/segregation/encryption. The author's make it clear that audit and compliance is a big issues when working with outsourcing vendors as it will be with cloud service providers. I would have like dot have seen a chart or something which would have shown: what a user needs to think about when using a cloud service provider and what you would not need to think about any more. i.e. is it a new issue that you have to think about because you are working with a CSP, or do you no longer have to think about it, or does the CSP have to think about it now? What would be avoided security issues, what would be the new ones, which ones are the same?
Ongoing this book can be a great reference for operations managers or business owners or managers wanting to know what research how the `cloud" can impact their company. Conclusions in a lot of books can be "weak", this one is definitely not weak. It is an excellent summary of the security concerns that are applicable to cloud computing. One could read chapters 1 & 2, get an overview of cloud computing how it has evolved and then actually read the summary, get an overview of the issues and then read the appropriate chapter for the type of security concerns.

Cloud computing events are still hot and heavily attended. I was just at another on the 13th of April in Palo Alto, California, which included panel members from SAP, Citrix, T-Systems, and AT&T there was a lively discussion of what people are looking for with regard to cloud computing: on demand computing, as needed consumption of compute power. [...]. Models that they are seeing, dominate capacity in-house yet, elasticity is rented out (bursting in to the cloud as needed). If you are trying to use cloud services for disaster recovery, for example, or contingency purposes, there are still some issues such as getting a VERY large database server up immediately, transfer rates not there yet. Web servers can be up immediately, but a database server can be brought up only a day later when the data arrives by disk. Cloud Interoperability has claimed to be a major issue of cloud computing, since there is still no reason for the cloud service providers to work together. However, the guys on the panel claim it is not a problem. In reality I would have to agree with this, depending on what you are running in the cloud, and how it was architected you can technically move clouds. More of the issue, as with most business decisions, is how much effort will it take, as any move requires some effort, and how much will it cost.