Adrian Horodniceanu reviews Ben Halpert’s book: Auditing Cloud Computing: A Security and Privacy Guide.
Cloud computing emerged in the market a couple of years ago and is becoming an important challenge to the standard internal IT and IS departments of medium to large organizations.
The advantages presented by the cloud providers regarding costs, flexibility of resources, ability to fit the size of the service based on actual needs and within minutes from request makes them very attractive at the first impression, but with a potential of becoming a nightmare to any CISO and CIO.
Ben Halpert assembled in this book (Auditing Cloud Computing: A Security and Privacy Guide) an impressive group of Information security experts, each with long experience in the field of defining, evaluating, implementing and auditing Information Security Systems with a large variety of organizations.
After an initial chapter that describes roughly the technical features of cloud computing, the players in the field, the main products expected, we find in the following chapters different aspects of the activities required in such an environment.
The reader finds a detailed explanation of the positions of the players in this field: customer, provider, auditor and regulator. The main services provided: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).
The various chapters cover the actions required to be done in order to introduce services provided in the cloud as part of the organizational information systems.
As expected, there is no magic recipe in it and this process involves assessing risks related to availability, security, confidentiality of the systems, as many similar projects require.
The book raises new risks intrinsic to the cloud, such as lack of direct control of the systems (hardware and software), tenancy (sharing the same resources with other parties), and working on internal system through the web with all its hazards. For all those, the main mitigation tool recommended is the contract with the provider which should include an initial verification, a detailed SLA and a clear termination process.
The book presents in addition, the legal and regulatory status of the cloud in relation with various requirements such as SOX, ISO27001, PCI and more, as well as the groups working to build a solid regulatory basis for the cloud computing such as CSA (Cloud Security Alliance).
To summarize, the book is a good review of the current situation in the field. Every CISO and CIO should be aware of the developments in the cloud regardless of the intention of actually implementing its use. The SaaS services at least, are more and more available and attractive to many people. Using them without a proper preparation on the organizational level, may result in a disaster or at least a “big headache” to the security and confidentiality of the information.
Auditors and regulators (internal and external) should expect to meet cloud computing in the near future. The book supplies an initial checklist for audits in the cloud environment.
Personally I recommend this guide to senior managers who want or need to use this type of information tools.
You can buy Auditing Cloud Computing from IT Governance. Click below to buy in your preferred currency: