Cloud Security and Privacy

Author: Tim Mather, Subra Kumaraswamy & Shahed Latif
Publisher: O'Reilly
Pages: 336
ISBN: 978-0596802769
Aimed at: Both managers and developers
Rating: 4
Pros: Tackles a difficult subject
Cons: Impenetrable style and full of acronyms
Reviewed by: Sue Gee

This book tackles an important current problem. Cloud computing is a hot topic and such is its attraction that many companies could be tempted to rely on it without evaluating the real risks.

At the moment stories of breaches of security by well-known cloud facility providers hit the headlines on a regular basis. Some of the items are really the result of journalists in search of a topical story, but it has to be admitted that handing over the security not only of your data but the complete application implementation is worrying as well as being attractive. This leaves you vulnerable in just about every way imaginable. Hence the need for a book that deals with the issues.

This particular book starts out as a manager's overview. It's full of management speak and concerns. Three, four and five-letter acronyms are invented, introduced and used at every possible opportunity – some are generally used and known, many are not. This makes the book harder to read and next to impossible to just dip into.

The book spends many pages on providing the history of cloud computing and classifying the different approaches - and introducing more acronyms. Then we move on to consider security, identity management, security management, privacy (including an overview of the relevant laws both US and international), audit and compliance. The book closes with a look at some real cloud service providers - Amazon, Google, Azure, Proofpoint, RightScale, Salesforce, Sun Open and Workday - and at security as a service, the impact of cloud computing on corporate IT and speculates about the longer term future.

Just when you think that the book is all management speak there are some technical details about IP security, virtual server security, hypervisor security and so on that are something to get you teeth into. There are also quite a few references to security lapses of well known cloud suppliers - most often Google and Amazon. This is of interest to anyone trying to find out what is special about security requirements of the cloud as an environment.

Unfortunately the book does tend to lapse back into lists, checklists and management speak every few pages. For example, at the start of a paragraph on Identity and Access Management - sorry IAM -


This is the  process of on-boarding users to systems and applications... "

and so on.

Overall this is a surprisingly good book tackling a difficult topic but a reader hoping for lots of technical information will have to work hard to find it. It is a shame that books that both IT managers and technical implementers need to read cannot be written in a language that suits both - plain English might be a good choice - but until there is a  good alternative title this is the one you need.

Last Updated ( Sunday, 13 June 2010 )