In February 2008, I ran into Subra Kumaraswamy, of Sun Microsystems, at the quarterly meeting of the Electronic Crimes Task Force put on by the San Francisco office of the U.S. Secret Service. Subra and I have attended a number of these meetings, and we knew each other from similar, previous professional events. Both of us are information security practitioners, and that is a small world in Silicon Valley, where we both have lived and worked for many years. Subra asked what I was up to, and I told him I was considering writing a book on cloud computing and security.
Even in February 2008, the hype about cloud computing was very evident in Silicon Valley. Similarly, lots of concerns were being voiced about the apparent lack of (information) security provided in cloud computing. As Subra and I discussed, though, at that time no substantive or articulate information was available on this topic—hence my musings about writing a book on the subject. Subra told me that he too was spending time researching cloud computing and had failed to find any substantive or articulate information on the topic. I asked Subra whether he was interested in helping me write such a book, and he responded yes. (Having been through the anguish of writing a book previously, I was looking for some very competent help, and Subra certainly fits that description.) So began our book odyssey.
Originally, our effort was intended to be one chapter in another O’Reilly book on cloud computing. However, after we went substantially over the O’Reilly guideline on length for not just one but two chapters, we pitched the idea of an entire book on cloud security and privacy. O’Reilly accepted our proposal, and what we thought was going to be a 20-page effort became a 200-page effort. That was no small increase in the amount of work we needed to complete—and quickly, if ours was to be one of the first such books to market.
In late 2008, Subra and I started giving a series of presentations to different technically savvy audiences in Silicon Valley outlining our findings on cloud computing and security. We were excited about the reaction we got from these audiences. No one felt we were off the mark technically, and the audiences were hungry for more information and more detail. After one such meeting, a KPMG employee said he wanted to talk with us further about cloud computing and auditing. Still in need of good material for the book, Subra and I readily agreed to a meeting.
Well, the meeting wasn’t quite what we were expecting. We were hoping to get some information from KPMG about concerns and trends around auditing of cloud-based services. Instead, one of the partners, Shahed Latif, asked whether he could join our book effort. Subra and I talked it over and agreed to let him join. We needed good audit information, and Shahed certainly brings credibility to the subject. (In addition to his other extensive audit experience, Shahed is the KPMG partner for providing a number of services for a major cloud service provider that Subra and I were already aware of, given that we had some fairly extensive discussions with senior information security personnel for that same cloud service provider. Additionally, I knew Shahed professionally. I have been on the pointed end of the KPMG audit spear three times in my career: at Apple, VeriSign, and Symantec. In fact, while I was chief information security officer at Symantec, Shahed was the KPMG IT audit partner. So, Shahed was a known entity to us.
With three authors now, we were off and running to complete the book in a timely manner, and hopefully be first to market.
Anyone interested in cloud computing should read this book. Although it focuses on security, privacy, and auditing of cloud-based services, we did not write it strictly for information security professionals, though we certainly expect that many of them will find it helpful. We wrote this book for technically savvy business personnel who are, or who are considering, using cloud computing and are interested in protecting their information. Data is king, and today the confidentiality, integrity, and availability of data is more important than ever. Therefore, security, privacy, and auditing of cloud-based services should be of interest to our readers.
In this book, we will define cloud computing in a systematic manner and examine security and privacy issues that this new model raises. Here is a short summary of the book’s chapters and what you’ll find inside:
Introduces the concept of cloud computing and the evolution of computing into cloud computing.
Defines cloud computing as having the following five attributes: multitenancy (shared resources), massive scalability, elasticity, pay as you go, and self-provisioning of resources. However, the term cloud computing has multiple definitions, because this is a nascent and rapidly changing arena. For example, a recent study noted more than 22 different definitions of cloud computing. In this chapter, we discuss the largely agreed-upon types of services offered through cloud computing, because some of them are important enabling technologies, such as virtualization.
Describes the IT infrastructure security capabilities that cloud services generally offer. IT infrastructure security refers to the established security capabilities at the network, host, and application levels.
Examines the current state of data security and the storage of data in the cloud, including aspects of confidentiality, integrity, and availability.
Explains the identity and access management (IAM) practice and support capabilities for authentication, authorization, and auditing of users who access cloud services.
Depicts security management frameworks and the standards that are relevant for the cloud.
Introduces privacy aspects to consider within the context of cloud computing, and analyzes the similarities and differences with traditional computing models. Additionally, in this chapter we highlight legal and regulatory implications related to privacy in the cloud.
Reveals the importance of audit and compliance functions within the cloud, and the various standards and frameworks to consider.
Provides information on some examples of cloud service providers (CSPs), including who some of the major CSPs are (in terms of size and influence) and what services they provide.
Looks at a different facet of cloud computing security: security delivered as a service unto itself through the cloud. This security-as-a-[cloud] service (SaaS) is also an emerging space, and in this chapter we look at what some of those cloud security services are.
Looks at the impact of cloud computing on organizational IT departments as they exist today. Although some may feel that cloud computing provides an important complement to IT departments today, the view from IT departments might be that cloud computing replaces much of what IT is responsible for.
Summarizes the concepts presented in the book and provides some thoughts on the future of the cloud.
This book also includes a glossary of terms, as well as three appendixes that discuss relevant audit formats (SAS 70 Type II and SysTrust) and provide one model of the relationships between audit controls relevant to cloud computing.
The following typographical conventions are used in this book:
Indicates new terms, URLs, and email addresses
Used to refer to language and script elements
This icon signifies a tip, suggestion, or general note.
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Cloud Security and Privacy, by Tim Mather, Subra Kumaraswamy, and Shahed Latif. Copyright 2009 Tim Mather, Subra Kumaraswamy, and Shahed Latif, 978-0-596-80276-9.”
If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at email@example.com.
Safari Books Online is an on-demand digital library that lets you easily search over 7,500 technology and creative reference books and videos to find the answers you need quickly.
With a subscription, you can read any page and watch any video from our library online. Read books on your cell phone and mobile devices. Access new titles before they are available for print, and get exclusive access to manuscripts in development and post feedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit from tons of other time-saving features.
O’Reilly Media has uploaded this book to the Safari Books Online service. To have full digital access to this book and others on similar topics from O’Reilly and other publishers, sign up for free at http://my.safaribooksonline.com.
Please address comments and questions concerning this book to the publisher:
|O’Reilly Media, Inc.|
|1005 Gravenstein Highway North|
|Sebastopol, CA 95472|
|800-998-9938 (in the United States or Canada)|
|707-829-0515 (international or local)|
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
To comment or ask technical questions about this book, send email to:
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our website at:
We want to thank the many people from cloud service providers who took the time to talk with us about security and privacy in the cloud. Even though a significant amount of that material was told to us on a non-attribution basis, it was nevertheless invaluable for us to understand the providers’ perspectives on this topic. We also spoke with several customers of cloud computing services and got some great insights into their real-world concerns and experiences.
In putting this book together, we felt it was important to capture the latest solutions and trends in the market. To this end, we met with a number of companies to understand the current trends. Organizations we talked to included Microsoft, the National Institute of Standards and Technology, Salesforce.com, and Sun Microsystems. With that in mind, we would like to thank the following people who helped us: John Dutra, John Howie, Peter Mell, Izak Mutlu, and Rajen Sheth.
We also owe a big thank you to several people who took the time to review our manuscript and keep us accurate technically, as well as helping us with readability. Thank you specifically to Dan Blum, Robert Fly, Tim Grance, Chris Hoff, Jim Reavis, Laura Robertson, and Rodney Thayer. Although any errors or omissions in the book are strictly our own responsibility, these individuals helped ensure that we made fewer of them.
Several KPMG employees also helped us significantly in our efforts, and we need to recognize them. They did everything from providing content and helping with graphics, to putting together the glossary, coordinating our meetings, and handling a number of other tasks that made our work easier. Thank you very much to Graham Hill, Vijay Jajoo, Mark Lundin, Bob Quicke, Ismail Rahman, Doron Rotman, and Nadeem Siddiqui.
Finally, there is a saying in Silicon Valley about “eating your own dog food.” Marketing personnel generally translate this phrase to “using your own products.” Well, when it came to writing this book, we endeavored to eat our own dog food—that is, we used cloud services wherever possible in this effort. We used cloud-based email, calendaring, and our own cloud-based website for document and graphics management, as well as for coordinating with our editor at O’Reilly (thanks, Mike Loukides!), our reviewers, our contributors, and Lasselle-Ramsay, which helped significantly in making our material presentable.
I would like to thank Diva, Penny, Tiramisu, and Sam for all of their support, and for allowing me to repurpose a huge number of affection hours over the past year to book writing. Thanks to my cats for their support and understanding.
I am fortunate to have the love and support of my family, especially for putting up with me on the many lost weekends over the past year. A big thank you goes to my wife, Preethika, and my two children, Namrata and Nitin. I also owe thanks to my manager, Leslie Lambert (CISO of Sun Microsystems), for her support and encouragement in this endeavor. Also, I appreciate all the gestures from friends and colleagues who volunteered to review my material and spread the word.
 Vaquero, Luis M., Luis Rodero-Merino, Juan Caceres, et al. “A Break in the Clouds: Towards a Cloud Definition.” ACM SIGCOMM Computer Communication Review archive, Volume 39, Issue 1 (January 2009).