Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
CSA guide to cloud computing : implementing cloud privacy and security
Samani R., Reavis J., Honan B., Syngress Publishing, Waltham, MA, 2014. 236 pp. Type: Book (978-0-124201-25-5)
Date Reviewed: Jun 16 2015

The “cloud is transforming computing into a utility,” but at the same time, “as our dependency grows, so does the potential impact of any incident.” And then there are some privacy issues. This book, from the Cloud Security Alliance (CSA), addresses these issues.

Chapter 1, “Cloud Computing, What Is It and What’s the Big Deal?” sets the scene. While the cloud is very important, and used by most, it seems it is not well understood. The chapter contains the expected items, like the differences between public, private, community, and hybrid clouds, and between infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). This chapter also introduces some key statements on cloud security. According to IDC, 87 percent of respondents cite security as their greatest worry.

The next chapter, “Selecting and Engaging with a Cloud Service Provider,” promotes due diligence on the cloud service provider (CSP) and shows the support the CSA provides to facilitate this. The CSA has maintained a security, trust, and assurance repository (STAR) since 2011, and it provides a CSP self-assessment. It suggests ISO270001 or AICPA SOC 2 certifications and a reference to the European Network and Information Security Agency (ENISA), two examples of non-CSA reference material.

The chapter on “The Cloud Threat Landscape” contains “the notorious nine.” The top four are the usual suspects: data breaches, data loss (caused by provider viability, insufficient disaster recovery/business continuity planning (DR/BCP) practices, and errors), account or service hijacking, and insecure interfaces and application program interfaces (APIs).

“Secure Cloud for Mobile Computing” contains the top eight mobile threats and countermeasures. It feels somewhat out of place here.

Chapter 5, “Making the Move into the Cloud,” is the largest. It urges readers to shift from protecting the perimeter and systems to protecting data, using an airport traffic control-like approach (for both planes and other ground vehicles). The responsibility and the options for security controls for the cloud depend on the type: SaaS, IaaS, or PaaS. The book discusses three guides [1,2,3].

“Certification for Cloud Service Providers” is based on a controls matrix with 16 domains for governance, risk, and compliance, and is based on an existing framework like ISO27k with which it shares many of these. The chapter briefly discusses other frameworks like the EuroCloud Star Audit, ISO/IEC 27001, the Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), and a few others.

“The Privacy Imperative,” chapter 7, is short. The authors argue against the statement that the US Patriot Act undermines privacy any more than laws in other countries. They present the 16-point CSA privacy-level agreement.

“Cloud Security Alliance Research” covers nine areas. The most important are the big data working group, getting back to the privacy question, and security as a service, presenting ten categories.

Chapter 9, “Dark Clouds, What to Do in the Event of a Security Incident,” has as key message: be prepared. This is true without cloud usage, and more so when moving to the cloud: “fail to prepare, prepare to fail.” Just picking out two topics, notification issues and cloud forensics, one can only respond after being informed, so notification is key. Forensics is hard already, without the extra complexity of the cloud. Step 1 is “preserve evidence.” How can that be done in a shared, virtualized, and dynamic cloud environment?

The last chapter, “The Future Cloud,” can be summarized as “more.” This goes for complexity and security requirements, too.

The book provides useful information, but that will not suffice to take away the many security concerns, especially around privacy. The text on privacy is short and somewhat disappointing. The topic is handled with great care, attempting to stay in safe waters, indeed correctly relativizing some concerns. As it is a key topic in the title, my expectations were higher.

More reviews about this item: Amazon

Reviewer:  A. Mariën Review #: CR143528 (1509-0743)
1) Simmonds, P.; Rezek, C.; Reed, A. (Eds.) Security guidance for critical access areas of focus in cloud computing v3.0. Cloud Security Alliance, 2011.
2) FedRAMP security assessment framework, v2.0. US GSA, Washington, DC, 2014, https://www.fedramp.gov/files/2015/03/FedRAMP-Security-Assessment-Framework-v1.0-2.docx.
3) Jansen, W.; Grance, T. Guidelines on security and privacy in public cloud computing. NIST, Gaithersburg, MD, 2011.
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Cloud Computing (C.2.4 ... )
 
 
Security and Protection (C.2.0 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Cloud Computing": Date
Cloud security and privacy: an enterprise perspective on risks and compliance
Mather T., Kumaraswamy S., Latif S., O’Reilly Media, Inc., Sebastopol, CA, 2009.  336, Type: Book (9780596802769), Reviews: (1 of 3)
Dec 14 2009
Cloud security and privacy: an enterprise perspective on risks and compliance
Mather T., Kumaraswamy S., Latif S., O’Reilly Media, Inc., Sebastopol, CA, 2009.  336, Type: Book (9780596802769), Reviews: (2 of 3)
Jan 26 2010
Cloud security and privacy: an enterprise perspective on risks and compliance
Mather T., Kumaraswamy S., Latif S., O’Reilly Media, Inc., Sebastopol, CA, 2009.  336, Type: Book (9780596802769), Reviews: (3 of 3)
Mar 18 2010
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy