Securing the Cloud (book review)

Securing the Cloud: Cloud Computer Security Techniques and Tactics

    With so much buzz around Cloud Computing, books like this one written by Winkler are much in demand. Winkler's experience in the computing business shines through and as readers we are spoiled with a great deal of useful strategic information – a jam packed almost 300 page volume on securing the cloud.

    Winkler, presently a senior associate at Booz Allen Hamilton has had more than 30 years of experience servicing U.S. Government clients, and as Chief Technologist for Security for the Sun Microsystems Public Cloud, in applications engineering, and IT operations and management in a number of organizations. Winkler has numerous technical conference publications, and among his many achievements, he was a visiting cyber security expert authoring the Information Security policy for the Government of Malaysia.

    The book begins with a well-needed introduction for those who are new to cloud computing. Winkler describes how the cloud works, the importance of securing the cloud, and its fundamental architecture.

    Chapter 2 goes into greater detail on the cloud reference architecture, introducing cloud service and deployment models and differentiating between public, private, community and hybrid clouds, and the cloud software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) models.

    To be commended, before entering an in-depth discussion on how to architecture a secure cloud, Winkler spends chapter 3 discussing security concerns, risk issues, and legal aspects. As a privacy specialist myself, it is very heartening to see that Winkler addresses those very difficult questions that every client asks about privacy and confidentiality concerns, data ownership and locale concerns, and other aspects like emerging threats, third parties, data privacy and litigation.

    Chapters 4–6 are all about ways in which we can secure the cloud – the underlying architecture, data security, and key strategies and best practices. These chapters are at the heart of the book as we are taken on a guided tour about standards and policies, honeypots, sandboxes, network and cabling patterns and the like. For the important area of data security within the cloud we are introduced to the idea of control over data and public cloud economics, ownership and custodianship, data encryption and its limitations, and access control techniques for data categorization. The deletion of data within the cloud is also discussed, something that is becoming vital from the lessons learnt in the social media environment. Key strategies and best practices in securing the cloud are presented in chapter 6 from first principals. NIST definitions are given in security controls and unclassified and classified models are compared. Security monitoring by the CIA is addressed and the emphasis is placed on reliable streams of data – a notion introduced as MaaS – Monitoring as a Service.

    Chapter 7 and 8 look at security criteria with respect to building an internal cloud (i.e. private cloud) versus selecting an external cloud provider. The internal cloud choice is based on the security implications offset between a shared versus dedicated resources solution. Criteria for ensuring a secure private cloud include: network considerations, data center considerations, operational security considerations, and regulation. For the selection of an external cloud provider a discussion is given on assurance and how to verify independently the claims made by a given vendor.

    Chapter 9 is about evaluating your cloud security using an information security framework. Checklists are provided to help cloud personnel evaluate the stealth of their given solution, including a manner for placing metrics against the checklists.

    Chapter 10 is about operating a cloud and is very much intended for the manager who is in charge of the business case toward a cloud solution. Processes, efficiency and cost are all covered aspects as well as security operations activities that typically are related to business continuity and recovery.

    As a former pre-sales engineer, what I loved most about this book was the obvious hands-on strategic and technical experience that Winkler bought to every aspect of it. It is really a practitioner's guide to cloud computing security. I appreciated the descriptive figures, the tips, the warnings, the notes, the tools, the stories of failures and successes but most of all the comprehensive nature of the real world descriptions.

    Citation: Katina Michael, [Book Review] "Securing the Cloud: Cloud Computer Security Techniques and Tactics" by Vic (J.R.) Winkler. Computers & Security,  Vol. 31, No. 4, June 2012, Page 633, Syngress|Elsevier,

    The Basics of Information Security (book review)

    Dr Jason Andress (ISSAP, CISSP, GPEN, CEH) has written a timely book on Information Security. Andress who is a seasoned security professional with experience in both the academic and business worlds, categorically demonstrates through his book that underlying the operation of any successful business today is how to protect your most valuable asset – “information”. Andress completed his doctorate in computer science in the area of data protection, and presently works for a major software company, providing global information security oversight and performing penetration testing and risks assessment.

    In the last 12 months we have all witnessed a variety of large scale attacks on corporations and public sector agencies via hacking groups like Anonymous, who have used SQL injections, distributed denial of service (DDoS) attacks, advanced persistent threats (APT), and zero-day exploits to penetrate systems. Less visible and quantifiable have been insider attacks where data leakage has occurred as a result of industrial espionage.

    Mobile computing, social networking, and cloud computing have all acted to heighten information security concerns prompting chief information officers (CIO) to reflect on their business practices. Of great significance today within an organizational setting, is the knowledge of how information is gathered, stored, and accessed by all staffing levels.

    From the outset Andress offers models for discussing security issues – beginning with the confidentiality, integrity, and availability triad known as CIA. After doing so he describes the various types of attacks including interception, interruption, modification, and fabrication. He also introduces the difference between threats, vulnerabilities, and risk and discusses approaches to mitigating risks such as physical controls, logical controls, and administrative controls. While this is commonplace in most security fundamentals books, it is helpful to get the brief summary version so succinctly.

    Chapter 1 ends with a discussion on a strategy common to military maneuvers known as “defense in depth”. A range of suggestions are made on how to ensure that each layer in defense in depth should be protected. Among these solutions are penetration testing, vulnerability analysis, backup, access control, encryption, content filtering, password hashing, logging, auditing, antivirus, firewalls, intrusion detection and prevention systems, stateful packet inspection, proxy, demilitarized zones and the like. This “defense in depth” approach with corresponding solutions forms the basis for segmentation of the book at large.

    Chapter 2 introduces the reader to the fundamental concept of identification and describes various ways of authenticating a system user, from multifactor authentication to biometrics and hardware tokens. Chapter 3 describes authorization and access control lists (ACLs) with an emphasis on readwrite, and execute permissions. This chapter ends by discussing a variety of ACL models including: discretionary access control, mandatory access control, role-based access control and attribute-based access control. Chapter 4 is a brief chapter focusing on auditing and accountability, touching on the themes of non-repudiation, deterrence, intrusion detection and prevention, and the admissibility of records.

    Chapter 5 covers cryptography and the cryptographic tools that are available for protecting data “at rest”, “in motion” and “in use”. The distinction is made in this chapter between protecting the data itself versus protecting the connection. Symmetric and asymmetric keys are described as well as other cryptographic tools such as hash functions, digital signatures, and certificates.

    Chapters 6 and 7 offer some practical insights into operations security and physical security. In these chapters the reader is introduced to the importance of identifying which data in their corporation is of value. The operations security process begins with the identification of critical information, an analysis of threats and vulnerabilities and risks, and ends with an application of countermeasures. The emphasis is on (1) knowing the threats, (2) knowing what is of value to protect, and (3) the knowledge that if something of value is left unprotected, then inevitably it will be taken. Chapter 7 on physical security is about physical security controls, protecting people/data and equipment. It is mainly about infrastructure and the potential for physical threats and how the threats can be curbed through physical security controls. These controls are divided into three types: deterrent, detective and preventive. The chapter is comprehensive at looking at how businesses should choose appropriate sites for their particular type of work, people, data and equipment.

    Chapters 8 through to Chapter 10 address network security, operating system security, and application security. The latter chapter is focused on how attackers might take advantage of very exposed online applications such as business-to-consumer electronic commerce self-service systems. Software development vulnerabilities, web security, and database security are each described in the final chapter.

    The book includes illustrations and figures demonstrating key information security ideas, alerts to make the reader aware of particular insights, more advanced details for those wishing to do their own research above and beyond the contents of the book, and real world example summaries pertaining to key terms throughout the book. There is also an accessible bibliography mainly made up of online resources. The exercises at the end of each chapter also make this a good book for a first year security college class. It does not however include any practical exercises whatsoever, and so hands-on laboratory sessions would need to be developed to give the prospective student some idea of how some of these information security solutions would actually work in practice. All in all, this book is for those new to information security and for persons who are looking to learn about underlying concepts which underpin what is at the heart of information security in organizations. It is not an overly sophisticated book but it does achieve its purpose.

    Citation: Katina Michael, [Book Review] "The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, J. Andress. Syngress Elsevier", Computers & Security, Volume 31, Issue 4, June 2012, Pages 634-635 DOI: