The title indicates that this is a guide for cloud service providers (CSPs) who deal with the US government; however, many of the sections will not be of interest to this audience. All of the many references are to government documents. Although the research and professional literature on clouds is abundant, the author seems to know only government sources. This lack of cloud “culture” makes the author confuse standards with mechanisms to comply with these standards. Surprisingly, the extensive list of standards does not include important ones such as open virtualization format (OVF) and OpenStack. The discussion of vulnerability testing does not even mention catalogs such as the Open Web Application Security Project (OWASP) and Common Vulnerabilities and Exposures (CVE). Long lists enumerate standards, defenses, vulnerabilities, and other items. These lists are not based on any conceptual model; related terms are collected together, but no logical or conceptual reason as to why is given.

The book contains several sections about the history of governmental software systems, showing how they led to clouds. Again, I doubt this is interesting to the intended audience. The book also suffers from provincialism: nothing done outside the government matters. Although the National Institute of Standards and Technology (NIST) cloud reference architecture (RA) is discussed, the chapter on security does not relate RA to its topic. Again, security is reduced to a list of recommendations, with no attempt at a conceptual model. NIST published a cloud security reference architecture (SRA) that should be used as a reference for security.

A couple of good chapters on risk management relate risks to the federal enterprise architecture (although not to the NIST SRA). Compliance with regulations, risk management, architecture, and security are treated as disjointed aspects, without any conceptual relationship. There is a good mapping of federal policies to International Organization for Standardization (ISO) standards. The Federal Risk and Authorization Management Program (FedRAMP) cloud security requirements are well described, repeating much of the earlier material--again, without a conceptual model.

The book contains an enormous amount of information, a good part of it valuable; regretfully, it is not organized in a conceptually coherent way, which makes using this knowledge much harder than is necessary. The government’s objectives when it comes to the cloud look well planned, but I am afraid that implementing them will be difficult. Some recent breaches indicate that they are still not there [1].

More reviews about this item: Amazon