Cloud Security and Privacy: An Enterprise Perspective on... and over 2 million other books are available for Amazon Kindle . Learn more

Buy New

or
Sign in to turn on 1-Click ordering.
Buy Used
Used - Very Good See details
Price: 15.51

or
 
   
Trade in Yours
For a 5.25 Gift Card
Trade in
More Buying Choices
Have one to sell? Sell yours here
Sorry, this item is not available in
Image not available for
Colour:
Image not available

 
Start reading Cloud Security and Privacy on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance [Paperback]

Tim Mather , Subra Kumaraswamy , Shahed Latif
3.7 out of 5 stars  See all reviews (3 customer reviews)
Price: 26.99 & FREE Delivery in the UK. Details
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Only 2 left in stock (more on the way).
Dispatched from and sold by Amazon. Gift-wrap available.
Want it Friday, 25 April? Choose Express delivery at checkout. Details

Formats

Amazon Price New from Used from
Kindle Edition 17.50  
Paperback 26.99  
Trade In this Item for up to 5.25
Trade in Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance for an Amazon.co.uk gift card of up to 5.25, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Learn more

Book Description

8 Oct 2009 0596802765 978-0596802769 1

You may regard cloud computing as an ideal way for your company to control IT costs, but do you know how private and secure this service really is? Not many people do. With Cloud Security and Privacy, you'll learn what's at stake when you trust your data to the cloud, and what you can do to keep your virtual infrastructure and web applications secure.

Ideal for IT staffers, information security and privacy practitioners, business managers, service providers, and investors alike, this book offers you sound advice from three well-known authorities in the tech security world. You'll learn detailed information on cloud computing security that-until now-has been sorely lacking.

  • Review the current state of data security and storage in the cloud, including confidentiality, integrity, and availability
  • Learn about the identity and access management (IAM) practice for authentication, authorization, and auditing of the users accessing cloud services
  • Discover which security management frameworks and standards are relevant for the cloud
  • Understand the privacy aspects you need to consider in the cloud, including how they compare with traditional computing models
  • Learn the importance of audit and compliance functions within the cloud, and the various standards and frameworks to consider
  • Examine security delivered as a service-a different facet of cloud security


Frequently Bought Together

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance + The Lure: The True Story of How the Department of Justice Brought Down Two of The World's Most Dangerous Cyber Criminals
Buy the selected items together


Product details

  • Paperback: 338 pages
  • Publisher: O'Reilly Media; 1 edition (8 Oct 2009)
  • Language: English
  • ISBN-10: 0596802765
  • ISBN-13: 978-0596802769
  • Product Dimensions: 17.8 x 23.1 x 2 cm
  • Average Customer Review: 3.7 out of 5 stars  See all reviews (3 customer reviews)
  • Amazon Bestsellers Rank: 419,582 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Authors

Discover books, learn about writers, and more.

Product Description

Book Description

Enterprise Practices for Risk Management and Compliance

About the Author

Tim Mather is an experienced security professional who is currently pursing a graduate degree in information assurance full-time. He is a frequent speaker and commentator on informa-tion security issues, and serves as an Advisor to several security-related start-ups.

Most recently, he was the Chief Security Strategist for RSA, The Security Division of EMC, responsible for keeping ahead of security industry trends, technology, and threats. Prior to that, he was Vice-President of Technology Strategy in Symantec's Office of the Chief Technology Officer, responsible for coordinating the company's long-term technical and intellectual property strategy. Previously at Symantec, he served for nearly seven years as Chief Information Security Officer (CISO). As CISO, Tim was responsible for development of all information systems security policies, oversight of implementation of all security-related policies and procedures, and all information systems audit-related activities. He also worked closely with internal products groups on security capabilities in Symantec products.

Prior to joining Symantec in September 1999, Tim was the Manager of Security at VeriSign. Additionally, he was formerly Manager of Information Systems Security at Apple Computer. Tim's experience also includes seven years in Washington, D.C. working on secure communications for a classified, national-level command, control, communications, and intelligence (C3I) project, which involved both civilian and military departments and agencies.

Tim is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). He holds Masters Degrees in National Security Studies from Georgetown University, and International Policy Studies from Monterey Institute of International Studies. Tim holds a Bachelor's Degree in Political Economics from the University of California at Berkeley.

Subra Kumaraswamy has more than 18 years of engineering and management experience in information security, Internet, and e-commerce technologies. He is currently leading an Identity & Access Management program within Sun Microsystems. Subra has held leadership positions at various Internet-based companies, including Netscape, WhoWhere, Lycos, and Knowledge Networks. He was the cofounder of two Internet-based startups, CoolSync and Zingdata. He also worked at Accenture and the University of Notre Dame in security consulting and software engineering roles. In his spare time, Subra researches emerging technologies such as cloud computing to understand the security and privacy implications for users and enterprises. Subra is one of the authors of Cloud Security and Privacy, which addresses issues that affect any organization preparing to use cloud computing as an option. He's a founding member of the Cloud Security Alliance as well as cochair of the Identity & Access Management and Encryption & Key Management workgroups. Subra has a master's degree in computer engineering and is CISSP certified.

Shahed Latif is a partner in KPMG's Advisory practice having extensive IT and business skills. He has over 21 years of experience working with the global fortune 1000 companies focusing on providing business and technology solutions across a variety of areas. Shahed has spent 10 years in the London office working in the financial sector consulting group, Information Risk management group and the assurance practice. He has worked on large global companies giving him the opportunity to have worked in Africa, Asia, and Europe.


Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:


Customer Reviews

3.7 out of 5 stars
3.7 out of 5 stars
Most Helpful Customer Reviews
2.0 out of 5 stars Too out of date to be of any practical use 13 Aug 2013
Format:Paperback|Verified Purchase
While this is a good book for novices, it is impossible to recommend it as it was published in 2009 and there have been no updates since. Therefore, the concepts, technology and approaches to information security have moved on so much that the information here is not relevant anymore. If you are looking for a book on cloud security I would recommend getting something published this year.
Comment | 
Was this review helpful to you?
5.0 out of 5 stars Review 28 Feb 2013
By Scremer
Format:Kindle Edition|Verified Purchase
Very informative and helpful book. From technical view point this is a gold mine of information. This book will take you into deep level of security field. In one word : 5 star.
Comment | 
Was this review helpful to you?
4.0 out of 5 stars Goood 1 Feb 2013
Format:Paperback|Verified Purchase
the book is detailed on cloud security and if you want a better understanding about cloud computing security, this is the book to get.
Comment | 
Was this review helpful to you?
Most Helpful Customer Reviews on Amazon.com (beta)
Amazon.com: 4.5 out of 5 stars  15 reviews
42 of 52 people found the following review helpful
3.0 out of 5 stars Real Bad Beginning - but gets better after chapter 3 9 July 2010
By Walt C. - Published on Amazon.com
Format:Paperback|Verified Purchase
I want to be fair here. I bought this book not to read hype on what looks like an emerging technology, albeit massively overhyped but, rather, to read about legal and business issues that might moderate its acceptance. To be fair, I will return to give my appraisal after I have finished but I was forced to share this so as to, perhaps, give pause to others interested in buying this book. I've seen webinars that refer to cloud computing as 2-10 technology, massively hyped for 2 years and will take the next 10 for the industry to sort out where it fits (and maybe more importantly where it does not.

The first two glaring take-aways I've seen in this book is 1) the mashing of social web to cloud computing, vis-a-vis considering MySpace, FaceBook, and other social web sites as examples of cloud computing, they are not; 2) the notion that end users will be writing their own programs in the clouds vs. the, since the dawn of software development, programmer (or more recently developers) writing the programs, tech writers writing the documentation, marketeers hyping the program and end users buying or using, with embedded ads, the software. Both of these are orthogonal to 'cloud computing'. While it may be someday, in a "Battlestar Gallactica" age end users may speak to their computer in whatever language they speak and tell it what they'd like it to do. For now it takes specialized training and while the computer languages used are different syntactically from those used in the '60s and '70s, fundamentally they are not different at all. Of course someday maybe everyone will be flying their cars to work and to play. On your next flight anywhere, tap the pilot and ask him how much specialized training he's had in order to taxi a plane, much less leave the ground and return it in one piece to where ever they said they would land it.

The authors talk about computing being a utility as electricity providers (or cable providers) yet they also talk about global compute clouds. Are there global utility companies? They talk about replacing NetBeans, Eclipse, Microsoft Visual Studio (IDEs) with some Utopian ephemeral global software development environment where the tools and end products exist virtually in some ether. None of that has to do with IT Governance and Security much less Amazon, Terramark, Eucalyptus, RightScale, or CloudSwitch. Where they have another 10-11 chapters I withhold final judgment but I felt I owed it to others innocently looking for a good source of information, not hand-waving on this subject. Just as with any emerging technology or software development language there are plenty of people that emerge from the woodwork to write a book on it, totally independent of their experience with it. Confusing Cloud Computing and Web 2.0 is not going to garner confidence. If unwary readers do not discover this until after they have purchased the book, it will not make any difference.

As a professional software developer I can tell you provisioning an image for execution in the cloud is more intensive than provisioning a bare metal server. End users are not going to be doing anything more than issuing a run command on a pre-existing image.

Here is my take: Running your business at an undisclosed facility managed by Amazon (or others) is no more cost effective than running your business out of a service center was in the 70's or 80's. If you don't physically control the data, you don't physically control access to it either. Nowadays you are under legal obligation to do so. I spent the money on this book hoping there was more substance to the security, privacy, and governance aspects of cloud computing than I just summarized.

Since one of the authors has decided to launch personal attacks on me, I will continue with my review with Chapter 3. I didn't really pick up on this in chapters 1 and 2 but I am now concerned about who edited this book. Even at the high school level children are taught to never ever cite Wikipedia for their references. I noticed the bulk of the footnotes cited are wikipedia. Since the source of information found on Wikipedia is unknown, its validity is also unknown. The professional standard for citations are peer reviewed sources. By using these there is a level of confidence a claim made, by virtue of it's citation is likely of high quality.

An assertion, I believe, made several times, and characterized on pg 52, "The new mantra of 'the browser is your operating system...browsers have become the ubiquitous operating systems for consuming cloud services". I would call to the reader's attention in any legitimate Computer Science source the definition of an operating system. Internet Explorer is not an example of an operating system. Furthermore, services, clouded or not, where the Internet browser is the user interface (UI or GUI in this case), are but one type of solution space, often characterized as LAMP or Linux, Apache, MySQL, and PHP. This is totally independent of cloud anything. I contend whenever one writes a book (or publishes one) there are two axises of importance, the first being is the material relevant to the topic and is the material factually accurate. While one might chose to host multiple web containers in the 'cloud' to take advantage of the elasticity of the cloud for scaling up and down with volume, another pervasive class of problem that takes place in a cloud-like environment is compute scaling, such as can be seen in grid computing. In this space a problem may arise where 100 or 1000 processors are required to solve a compute intensive problem but only for a few hours. This, as opposed to 24x7x365, is an excellent usage of public cloud (burst mode). To the extent the author is, thus far, focusing on web based interaction with the cloud he calls out but never elaborates on why there is any more vulnerability for a web container hosted at an Amazon secure facility, for instance, than there is within one's own perimeter. The threat vector is port 80 or port 8080. Of course, if there really is one, the obvious solution is to use off port, two phase SSL, where both the client side and server side are digitally authenticated and encrypted and host the open (proxy) website(s) within your perimeter. In either case the DoS attack on port 80 or 8080 is independent of the location of the web container. Isn't that correct Tim?

In chapter 3, pg 52, "Using hijacked or exploited cloud accounts, hackers will be able to link together computing resources to achieve massive amounts of computing without any of the capital infrastructure costs". Really? what about the account owner seeing running instances on their accounts they aren't using? How long does it take for a credit card owner or provider to realize an account is being misused? There is an easier vector for this, they are called bots and have been around for years. One need but Google the program Asphyxia. If you, for any decision, had a choice of hard vs. easy...which do you think a hacker would take?
In chapter 3, the author discusses type 1 and type 2 hypervisors. This is something of an arcane distinction but he refers to Xen as type 1, bare metal. This actually is incorrect as Xen is hosted by an operating system meaning it is not bare metal [...]. The authors spend much time on Xen, which is relevant from the perspective of security attacks against it but in that vein not a single mentioned, that I have found, is made of KVM which is part and parcel of all remotely recent versions of Linux from, I believe 2.6.20 and up. Ubuntu Enterprise Cloud is based on KVM, as is RedHat's virtualization and cloud family. But, this is why they make second editions.

Another assertion the authors make in chapter 3 (pg 59), "Security requirements such as an application firewall, SSL accelerator, cryptography, or rights management... are not supported in a public SaaS, PaaS, or IaaS cloud". Huh???? I refer the reader to Amazon's VPC, Intel's Service Gateway, SELinux, UFW. That is simply a patently false statement. Of course you can host your applications on an instance of an image configured with SELinux in enforce mode, fully firewalled, with no open connections on unsecured ports, and be quite secure. However, if this book was written in 2008 only to be published in early 2009 this may have been a more true statement then. However few people knew what cloud was in early 2009 and the entire field has rapidly evolved since the authors wrote this book. This is why it is necessary for authors, and publishers, to maintain an errata site, perhaps in the cloud, where corrections and retractions to, best case dated, worst case patently false, statements can be made. Intel, by the way, is also producing encrypting NICs (network interface cards).

While I still subscribe to my previous comment about if you don't control your data you don't control who has access to it, I do have an addendum to it. Cloud computing is a rapidly evolving field. A book, written by anyone, 2 years or more ago on cloud computing is, almost by definition, wrong or highly questionable. Technology simply moves faster than publishers generally do. If you have data that you don't want to or, legally, can not share it, in all likelihood, does not belong in a public cloud. If you are risk averse, it does not. If you are risk tolerant then the decision should be dependent on talking to vendors, cloud and operating system (no, not web browsers). What are the cloud vendor's SLA, what is the insurance on data breaches, what is the state of the art vis-a-vis SELinux, encrypting NICs, encrypted databases, the cloud vendor's physical security, software security, etc. Who had physical access to software keys?

We are a long way from the George Jettson world. In our lifetime people won't be flying their cars to work. Provisioning of data centers, provisioning of infrastructure still, as in the case of airline pilots, should be left to trained and technically current professionals who's livelihoods depend on their ability to successfully navigate the issues. If you are somewhat risk tolerant talk to the vendors, they have no problems telling you what their competition can't do, and make your decisions based on the, then, current state of the art. Don't single source anything, seek confirmations on everything.

As I hope we are all telling our children and students, whatever they place on the Internet will be there forever.

Chapter 4 starts to get interesting although I disagree with some of the author's contentions, perhaps due to the temporal decay. In other words, in the non-SaaS world storing information as opaque encrypted blobs is certainly do-able and would be the responsibility of the system designer to, perhaps optionally, persist the data as such and, upon authenticated readers, decrypt it. Consistent with what I've said earlier, if you don't control your data, you don't control who has access to it. What the author contents is that SaaS providers, let's use SalesForce as an example, should do the same with 'your data'. If you don't control the encryption keys used, you can't even control your own access to the data. This is actually part of the value proposition of CloudSwitch. Disclaimer, I have no affiliation with CloudSwitch. I do not even know if they were even a gleam in their founder's eyes when this book was written, so their niche would be clearly out of scope for the authors (temporal decay). However, in today's state of the art, protection zones, if you will, provisioned by SELinux and afforded by KVM provide for security when data, stored externally, in read by your program and decrypted within the protected zone of the process you are running in. One merely needs to Google SELinux to see what it provides for today vs. what it provided for 2-3 years ago.

Chapter 5 is good (happy now Tim?). Technically it is very rich and philosophically, unintentionally, provides good food for thought. Something I flagged at the beginning of this review gnawed at me and chapter 5 (Authentication, Authorization, and Auditing) provided closure on this. I mentioned there seem to be an underlying premise that the 'cloud' should or will evolve into a global entity, pg 33, "For cloud computing to continually evolve into a borderless and global tool..." Why should it? I vaguely recall an episode, I believe, from Star Trek, where there was some impending catastrophe in progress when Spock commanded, as a high priority task, the computer system to solve, to the last digit, the value of pi. Spock then reminds the captain pi is an endless number the computer(s) can not solve. Uhura shortly announces to Spock and the captain that, one by one, all computer resources (cloud compute nodes) were being deployed to solve the command Spock gave it. Is that part of the problem space for cloud computing to solve? Frankly we sort of already have that in the academic world, Google condor grid and University of Wisconsin. Oddly, I proposed the same sort of thing to a friend and VP at a large software company wherein corporate data centers would now have the prospect of 'selling' their unused cpu and disk capacity by merely joining a cloud as a resource provider rather than a resource consumer. To that end the authors are now on a solid path to addressing or, at least, articulating a direction CSPs could take or must take in order to realize that goal of a 'borderless and global tool'. Where this chapter is equally valid is the use case of you (the reader now) is on a trip to some other part of the country and are in an accident. You are brought to the local hospital and the attending doctor must gain access to your medical records. In a HIPAA world what needs to happen, architecturally, for that doctor to ensure your medical privacy, maintain auditability, and gain timely access to your medical history, oh, your own doctor is out of town.

Note to authors, I also upped your score. I anxiously await the next 100 pages and your second edition.
10 of 12 people found the following review helpful
4.0 out of 5 stars Very comprehensive, but a bit dry 19 Feb 2010
By Dr Anton Chuvakin - Published on Amazon.com
Format:Paperback
It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim's take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured...).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following "just the facts" model sometimes might lead the reader towards losing interest, no matter how important the subject is - and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.
1 of 1 people found the following review helpful
5.0 out of 5 stars Necessary read. 2 April 2013
By Eye2sell2u - Published on Amazon.com
Format:Paperback|Verified Purchase
Users and Managers need to understand the cloud. The cloud is powerful and should be used. But get your heads out of the cloud regarding privacy.
1 of 1 people found the following review helpful
3.0 out of 5 stars Nebulous as a cloud 24 Nov 2012
By Curious - Published on Amazon.com
Format:Paperback|Verified Purchase
The work is okay, but it left me a bit underwhelmed. Metaphorically, it is like a tiny portion of a meal at an expensive dinner. I found that I was still hungry for more information after finishing the reading.
7 of 10 people found the following review helpful
5.0 out of 5 stars THE BLIND MEN AND THE ELEPHANT 10 Nov 2009
By Viken Derderian - Published on Amazon.com
Format:Paperback
My title is no accident, I heard Marry Ann Davidson CSO of Oracle, use it in an RSA conference referring to cloud computing she also spoke about it in ISF Canada 2009. Where the whole subject has been elevated to theological warfare.

To sort the whole subject out and become familiar with the evolution of cloud computing I searched for a book on the subject and found many. To be fair to the rest of the books out there, I only read one of them, yes you guessed it, Cloud Security and Privacy. Being a security person myself the title had the 2 operative words I needed to see Security and Privacy (and yes, I am shallow).

Oh! yes about the book, this is by far the best book I have read for a long time, what impressed me is the way it is written, there are questions in nearly every chapter, as you read the question you realize that you were thinking that exact question, or you would have if you knew what to think. For example "what is cloud computing?" Ok I know that's given but stay with me; now here are some of the rest of the questions, "What Is Privacy?" I think that is one hell of a question and the answers given by the author are not ground breaking, however "What Is the Data Life Cycle?" "What Are the Key Privacy Concerns in the Cloud? ", "Who Is Responsible for Protecting Privacy?" put all these questions and more together and properly answer them all, you end up with a near masterpiece.

By the end of Chapter 3 you are not only familiar with cloud computing but you are now able to speak IAAS, PAAS, SAAS and actually understand the infrastructure security as it relates to IAAS.

I specially liked Chapter 6. Security management in the cloud, a very well written chapter about security management as it relates to the cloud computing, both ITIL and ISO27001 controls are mapped to the cloud.

Chapter Seven which deals with Privacy is one of the most important chapters, Privacy may be the single most important factor in deciding whether one chooses to use the cloud computing or not. The author includes a very reach sampling of many of the laws related to Privacy acts throughout the glob and yet in the beginning of the chapter you'll find the following dilemma " but although it may be possible to transfer liability via contractual agreements, it is never possible to transfer accountability." -Cloud Security and Privacy. I may argue that this chapter should have been the second chapter of the book.

In conclusion:
I could write a book about this book, but that would not be fair to you (as you may have noticed, I do not have the talent). Simply buy the book and read it yourself, it is not that expensive and it certainly looks more intelligent than those other books you have about Hacking something or other.

Best Fishes and thank you for reading.
Vik
Were these reviews helpful?   Let us know
Search Customer Reviews
Only search this product's reviews
ARRAY(0xb0598cd0)

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
Topic:
First post:
Prompts for sign-in
 

Search Customer Discussions
Search all Amazon discussions
   


Look for similar items by category


Feedback