- Email: [email protected]
Securing Cloud and Mobility
computers & security xxx (2014) 1
Available online at www.sciencedirect.com
ScienceDirect journal homepage: www.elsevier.com/locate/cose
Book review Securing Cloud and Mobility This book is divided in five parts: Part 1 gives a brief overview on cloud computing, including a very good description of the key characteristics as well as the service and deployment models. It also highlights the changes in resources that are available to the developers of software through the likes of Amazon AWS and comparative offerings. The author also calls to attention the changing needs in regard to security and that “security practitioners have to evolve from a lockdown mindset and embrace a paradigm that enables the business to have agility and ubiquity while maintaining a sound security posture”. The second half of this part gives an introduction to “hacktivists”, organized cyber crime, espionage, hackers for hire and cyberterrorism. The book describes how these entities operate, what their respective lucrative targets are and how to improve security mechanisms to combat them. Part 2 focuses on the capability of cloud computing, the financials, agility, security, licensing and execution, that is to “bridge the current environment with the future state architecture”. The chapter discusses these aspects in great details, what steps are necessary in executing them successfully and also highlights opportunities as well as challenges that can arise. Parts 3 discusses the challenges of securing private clouds. The tasks that need to be considered when securing private clouds include segmentation of resources, both physical and virtual, as well as different models for storage and productionbased segmentation models. This chapter also focuses on orchestration, that is “the automation of network, computation and data layers to form cohesive workflows” with special attention to information security and private cloud computing. Finally the chapter also covers the encryption of various layers and key management as well as threat intelligence (strategies, toolsets) and identity management, that includes threat prevention strategies, available toolkits for private cloud use. Part 4 discusses the challenges of securing public clouds. The potential exposure of public cloud use is given special
attention, including how to deal with sensitive or regulated data, exposure of intellectual data, the lack of user access management, compliance issues and the danger of applications that lack quality or security controls. The second chapter provides an in-depth look at IaaS, PaaS and SaaS data protection and application security and how to assess third-party cloud providers. Part 5 highlights the security issues of mobile computing, including the differences of the Blackberry, Android and iOS platforms as well as how to integrate these mobile environments with existing enterprise infrastructure and how to adapt your infrastructure to service those clients. The last chapter of the book gives a brief overview on how to develop secure mobile applications, how to deal with QA, stakeholders and operations. The book covers a wide range of topics related to cloud and mobile security both from a developer’s perspective and also from a business perspective as well as practical steps on how to deal with specific mobile platforms like Blackberry, Android and iOS. It provides a good insight into architectural and operational challenges with a focus on the enterprise sector. It can be recommended to the seasoned developer as well as software architects and IT managers, who want to get a refresher or an introduction on making businesses cloudready. It may be only of limited use to people who are looking for a truly “hands-on” guide to securing cloud and mobile applications as this book describes the topics at a higher level. Martin Kirchner Edgar Weippl* SBA Research, Favoritenstr. 16, A-1040 Vienna, Austria *Corresponding author. Tel.: þ43 1 5053688 1103. E-mail address: [email protected] (E. Weippl) 0167-4048/$ e see front matter http://dx.doi.org/10.1016/j.cose.2014.02.003
Available online at www.sciencedirect.com
ScienceDirect journal homepage: www.elsevier.com/locate/cose
Book review Securing Cloud and Mobility This book is divided in five parts: Part 1 gives a brief overview on cloud computing, including a very good description of the key characteristics as well as the service and deployment models. It also highlights the changes in resources that are available to the developers of software through the likes of Amazon AWS and comparative offerings. The author also calls to attention the changing needs in regard to security and that “security practitioners have to evolve from a lockdown mindset and embrace a paradigm that enables the business to have agility and ubiquity while maintaining a sound security posture”. The second half of this part gives an introduction to “hacktivists”, organized cyber crime, espionage, hackers for hire and cyberterrorism. The book describes how these entities operate, what their respective lucrative targets are and how to improve security mechanisms to combat them. Part 2 focuses on the capability of cloud computing, the financials, agility, security, licensing and execution, that is to “bridge the current environment with the future state architecture”. The chapter discusses these aspects in great details, what steps are necessary in executing them successfully and also highlights opportunities as well as challenges that can arise. Parts 3 discusses the challenges of securing private clouds. The tasks that need to be considered when securing private clouds include segmentation of resources, both physical and virtual, as well as different models for storage and productionbased segmentation models. This chapter also focuses on orchestration, that is “the automation of network, computation and data layers to form cohesive workflows” with special attention to information security and private cloud computing. Finally the chapter also covers the encryption of various layers and key management as well as threat intelligence (strategies, toolsets) and identity management, that includes threat prevention strategies, available toolkits for private cloud use. Part 4 discusses the challenges of securing public clouds. The potential exposure of public cloud use is given special
attention, including how to deal with sensitive or regulated data, exposure of intellectual data, the lack of user access management, compliance issues and the danger of applications that lack quality or security controls. The second chapter provides an in-depth look at IaaS, PaaS and SaaS data protection and application security and how to assess third-party cloud providers. Part 5 highlights the security issues of mobile computing, including the differences of the Blackberry, Android and iOS platforms as well as how to integrate these mobile environments with existing enterprise infrastructure and how to adapt your infrastructure to service those clients. The last chapter of the book gives a brief overview on how to develop secure mobile applications, how to deal with QA, stakeholders and operations. The book covers a wide range of topics related to cloud and mobile security both from a developer’s perspective and also from a business perspective as well as practical steps on how to deal with specific mobile platforms like Blackberry, Android and iOS. It provides a good insight into architectural and operational challenges with a focus on the enterprise sector. It can be recommended to the seasoned developer as well as software architects and IT managers, who want to get a refresher or an introduction on making businesses cloudready. It may be only of limited use to people who are looking for a truly “hands-on” guide to securing cloud and mobile applications as this book describes the topics at a higher level. Martin Kirchner Edgar Weippl* SBA Research, Favoritenstr. 16, A-1040 Vienna, Austria *Corresponding author. Tel.: þ43 1 5053688 1103. E-mail address: [email protected] (E. Weippl) 0167-4048/$ e see front matter http://dx.doi.org/10.1016/j.cose.2014.02.003