The increased prevalence of cloud computing has led to fears of more and more damaging cloud security attacks. In the cloud environment, three levels of access have traditionally been defined: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Security and privacy challenges vary across the different levels, with lower level access leading to more difficult problems. Cloud computing allows users to access on-demand computing resources that are made available by third-party cloud providers. This is very attractive to many users since they are able to access these services as needed and at a much lower cost than owning computing infrastructure. At the same time, the lack of direct ownership brings with it a multitude of security and privacy challenges.

This well-written and very important book provides coverage of these issues at all levels of the stack, from hardware techniques to application-level approaches. It is organized as a loose collection of 15 self-contained chapters written by different authors that describe recent advances in addressing some of the cloud computing security and privacy issues. It provides practitioners as well as researchers with an impressive and fascinating state-of-the-art overview of cloud security techniques and approaches. The book is suitable and highly recommended for anyone from graduate students to researchers in the field. I sincerely hope that organizing recent results in cloud computing security in this manner will make these results accessible to a wide audience and prepare future generations of software and hardware developers for the challenges they will face.

The individual chapters cover the following topics. The first chapter looks at cryptographic key management issues and challenges in cloud computing environments. The next chapter discusses the relationship between security and cost in the cloud, specifically asking if cloud computing is cost effective and how much security one can afford in the cloud. Chapter 3 then moves on to hardware-enhanced security for the cloud. The authors show that with certain hardware enhancements cloud computing can be made as secure as computing in locally owned facilities.

In chapter 4, the authors discuss the impact of software-defined networking (SDN), namely standards-based open architectures, on cloud security and the risks that SDN introduces to clouds. The next chapter presents two proof of isolation schemes that allow cloud users to verify that cloud resources are indeed physically isolated. The authors then provide experimental evidence that their schemes are practical in public and private cloud environments. Chapter 6 first surveys some research results related to the protection and efficient access of data stored and managed by external cloud servers. The authors then show how the combined application of the discussed solutions may introduce privacy problems.

Chapter 7 looks at collaborative enterprise computing environments where a group of enterprises maintain their own relational databases but allow restricted access to other parties. The authors provide an overview of the issues and possible solutions. Chapter 8 addresses three key challenges to realizing as a practical option the promise of encrypted query processing where queries are enabled over encrypted data without ever exposing plaintext or encryption keys: handling query operations that cannot execute in ciphertext, implementing a working system and acceptable query performance. Chapter 9 continues this inquiry by looking at privacy preserving keyword search over encrypted data. It introduces the problem and system model, and reviews standard techniques used to solve this problem.

Chapter 10 investigates risk-based processing over a hybrid cloud architecture as a possible alternative to computing on an encrypted domain in the cloud environment. Chapter 11 studies the problem of securing mission-centric operations, where a mission is modeled as a set of tasks, in a cloud environment. Chapter 12 discusses the possible use of computational decoys in the cloud to confuse a monitoring attacker. The authors propose a system they call DIGIT that employs decoy computation and introduces uncertainty as to which data and computation is legitimate. It prevents attackers from determining within a reasonable amount of time whether a captured system processes actual or bogus data.

In chapter 13, the author introduces secure time-aware provenance (STAP), a system that allows users to justify the existence or change of a certain distributed system state in an adversarial environment. Chapter 14 describes software cruising as a new approach to achieving efficient and scalable security monitoring. The last chapter, 15, presents a model for cyber-physical cloud systems and shows how this model can be used to manage cybersecurity risk and resilience.