Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance

Tim Mather, Subra Kumaraswamy, Shahed Latif (2009)
Review date: February, 2011

The first two chapters give an introduction to cloud technology in general. All concepts recurring in the field are touched upon to a certain degree: virtualization, the SPI model (SAAS, PASS IAAS), drivers and enablers, and some quality attributes. Chapter three is about infrastructure security angled towards how it affects the different layers of the SPI stack.

"Data Security and Storage", a short chapter wakes some thoughts about the security of data in transit and at rest, data lineage, and data remanence. Chapter five is about IAM, Identity Access Management. The chapter provides an overview of general IAM issues, and covers protocols and technologies like SAML, OAuth, and OpenID.

Chapter six, security management takes the framework approach. Starting with ITIL and ISO 27001, the chapter moves on to management, monitoring, access controls, and SLAs to some degree. The core of the next chapter privacy, is the overview of several legislations that have impact on data in the cloud, like HIPAA, USA Patriot Act, and EU Directive 95/46/EC.

The next chapter is sort of similar in nature. Starting with lots of tables related to audit, it ends with various standards that cloud vendors are likely to comply with, like the Sarbanes-Oxley Act (SOX) or PCI DSS. Chapter nine contains examples of cloud providers, chapter ten discusses security-as-a-service, while chapter 11-12 are the wrap-up and look in the crystal ball.


Reading this book from cover to cover is not something I would recommend. Its introductory chapters are really good, but the middle chapters, let's say 5-8, which comprise the bulk of the book, are sort of heavy. I found it difficult to read them just for the sake of reading. They contain many lists and tables, and some quite dry text. On the other hand, if you need to look up what the SysTrust framework is about, or get a summary of SAML, or SOX, they are very good. This sort of places the book in the "reference literature" category.

It does contain a lot of information, part of which is outdated by now, but it still gives you a good start in many fields related to cloud technology.

I don't have that much to say about this book. It's not really pleasurable to read, but it contains a lot of information. If you are in a situation where you require this information, the book will do its job.

Who should read this book

If you want to get an overview of the challenges in the field of cloud security, this book should get you started. It covers both "traditional" computer security, as well as some standards and regulations to be aware of.


  • 2015-09-29

    It's been almost one and a half year since I reviwed a book! I've been too absorbed by Writing my own. Anyway, I'm back with Jeff Patton's relatively...
  • 2014-01-04

    New category! Performance! Reviewed The Every Computer Performance Book. Check it out!
  • 2013-09-10

    Reviewed a book that' slightly less technical, but much more fun to read. It's I.T. Confidential.
  • 2013-08-13

    Reviewed yet another book on Visual Studio 2012 and TFS. I also created a "Microsoft" category and moved the other TFS book there from the "Tools"...
  • 2013-08-05

    Updated the FAQ. Included information about getting a book reviewed.