Authors: Raj Samani, Brian Honan, Jim Reavis
The title says it all: this is a book that will tell you what cloud computing is, how best to take advantage of it, and what things you should be careful about when you do it.
About the authors
Raj Samani is the CTO for McAfee EMEA, a Special Advisor to the Europol Cybercrime Centre and the Cloud Security Alliance’s Strategic Advisor for EMEA.
Brian Honan is the CEO of BH Consulting, the founder and head of IRISSCERT. He is a Special Advisor to the Europol Cybercrime Centre, and an adjunct lecturer on Information Security in University College Dublin.
Jim Reavis is the Executive Director of the CSA, and President of Reavis Consulting Group, LLC, where he advises security companies, large enterprises and other organizations on the implications of new trends and how to take advantage of them.
Inside the book
The book starts with a thorough description about what cloud computing is and how it can be used. The authors covered every question you need to ask yourself and every aspect you need to think about if you’re thinking about moving some or all of your assets in the cloud. Chapter 2 will give you a good overview of the various criteria on which to base your choice of cloud service provider, and which questions to ask and online resources to consult before making the choice.
I don’t remember ever reading such a comprehensive and well written explanation on those two topics, and it definitely made me consider things I never thought about before. Later on, you will find out more about certifications and standards for cloud service providers, what they mean and offer.
After the chapters on the threats in the cloud landscape and the threats that mobile access to the cloud makes viable (real-world examples included), the authors shared their cloud computing checklist: identifying information assets, classifying the data, risk management and analysis, security controls depending on the cloud platform of their choice (here you’ll find listed the main reference and guidance documents you should use to implement them), governance and compliance controls, physical security controls, technical controls, and personnel controls. A great chapter that systematically addresses a thousand-and-one things crucial to a successful cloud deployment.
The topic of privacy in the cloud also deserves – and received – an entire chapter, especially with all the recent allegations about government surveillance. Here you’ll find out about privacy level agreements and what they should include.
Chapter 8 is dedicated to the various working groups within the Cloud Security Alliance, and the conclusive results of their research on various cloud computing topics.
The book concludes with advice on how to address security incidents in the cloud when your corporate resources have been transferred to it, a look into the future of cloud computing (more users, more devices connected to the Internet, and more data to be stores, processed and secured) and the security requirements for it, and a short appendix pointing out mitigations for a variety authentication threats.
Given the small number of pages, you would think that the book will be easily digestible – not so. But not because the authors failed at explaining things well, but because they included so many things to know that it’s impossible to breeze through it without stopping after every second or third paragraph and really think about what was written and pointed out.
For the sake of full disclosure, I have to note that both Raj Samani and Brian Honan are regular Help Net Security columnists, but this only made me peruse the book with an extra critical eye (and, naturally, compare their writing with that which they do for us).
I’m glad to say that this book is one of the best ones I’ve ever read about migrating resources to the cloud. With the resources and knowledge of the Cloud Security Alliance as a basis, this should not come as a surprise.