Securing the Cloud (book review)

Securing the Cloud: Cloud Computer Security Techniques and Tactics

    With so much buzz around Cloud Computing, books like this one written by Winkler are much in demand. Winkler's experience in the computing business shines through and as readers we are spoiled with a great deal of useful strategic information – a jam packed almost 300 page volume on securing the cloud.

    Winkler, presently a senior associate at Booz Allen Hamilton has had more than 30 years of experience servicing U.S. Government clients, and as Chief Technologist for Security for the Sun Microsystems Public Cloud, in applications engineering, and IT operations and management in a number of organizations. Winkler has numerous technical conference publications, and among his many achievements, he was a visiting cyber security expert authoring the Information Security policy for the Government of Malaysia.

    The book begins with a well-needed introduction for those who are new to cloud computing. Winkler describes how the cloud works, the importance of securing the cloud, and its fundamental architecture.

    Chapter 2 goes into greater detail on the cloud reference architecture, introducing cloud service and deployment models and differentiating between public, private, community and hybrid clouds, and the cloud software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) models.

    To be commended, before entering an in-depth discussion on how to architecture a secure cloud, Winkler spends chapter 3 discussing security concerns, risk issues, and legal aspects. As a privacy specialist myself, it is very heartening to see that Winkler addresses those very difficult questions that every client asks about privacy and confidentiality concerns, data ownership and locale concerns, and other aspects like emerging threats, third parties, data privacy and litigation.

    Chapters 4–6 are all about ways in which we can secure the cloud – the underlying architecture, data security, and key strategies and best practices. These chapters are at the heart of the book as we are taken on a guided tour about standards and policies, honeypots, sandboxes, network and cabling patterns and the like. For the important area of data security within the cloud we are introduced to the idea of control over data and public cloud economics, ownership and custodianship, data encryption and its limitations, and access control techniques for data categorization. The deletion of data within the cloud is also discussed, something that is becoming vital from the lessons learnt in the social media environment. Key strategies and best practices in securing the cloud are presented in chapter 6 from first principals. NIST definitions are given in security controls and unclassified and classified models are compared. Security monitoring by the CIA is addressed and the emphasis is placed on reliable streams of data – a notion introduced as MaaS – Monitoring as a Service.

    Chapter 7 and 8 look at security criteria with respect to building an internal cloud (i.e. private cloud) versus selecting an external cloud provider. The internal cloud choice is based on the security implications offset between a shared versus dedicated resources solution. Criteria for ensuring a secure private cloud include: network considerations, data center considerations, operational security considerations, and regulation. For the selection of an external cloud provider a discussion is given on assurance and how to verify independently the claims made by a given vendor.

    Chapter 9 is about evaluating your cloud security using an information security framework. Checklists are provided to help cloud personnel evaluate the stealth of their given solution, including a manner for placing metrics against the checklists.

    Chapter 10 is about operating a cloud and is very much intended for the manager who is in charge of the business case toward a cloud solution. Processes, efficiency and cost are all covered aspects as well as security operations activities that typically are related to business continuity and recovery.

    As a former pre-sales engineer, what I loved most about this book was the obvious hands-on strategic and technical experience that Winkler bought to every aspect of it. It is really a practitioner's guide to cloud computing security. I appreciated the descriptive figures, the tips, the warnings, the notes, the tools, the stories of failures and successes but most of all the comprehensive nature of the real world descriptions.

    Citation: Katina Michael, [Book Review] "Securing the Cloud: Cloud Computer Security Techniques and Tactics" by Vic (J.R.) Winkler. Computers & Security,  Vol. 31, No. 4, June 2012, Page 633, Syngress|Elsevier, https://doi.org/10.1016/j.cose.2012.03.006