“Cloud Computing with Security – Concepts and Practices” (2019) by Naresh Kumar Sehgal, Pramod Chandra P. Bhatt, John M. Acken, book reviewed by Alpha B. Barry
Cybersecurity Canon Book Review: “Cloud Computing with Security – Concepts and Practices” (2019) by Naresh Kumar Sehgal, Pramod Chandra P. Bhatt, John M. Acken, book reviewed by Alpha B. Barry
I do not recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.
Throughout my career, I learned the hard way that cybersecurity starts with setting up IT infrastructure along state-of-the-art architecture patterns that maximize technical security. While this cannot prevent successful cyberattacks, it makes the attacker’s life harder, and gives cybersecurity teams a better chance to detect intrusions, before real harm is done. It also increases the chance that attackers with medium or lower skills will turn their attention elsewhere. Thus, I am always keen to read and recommend books that can increase my knowledge on technical cybersecurity, and security architecture.
Colleagues entering this field sometimes ask me for suggestions on what they should read to build up knowledge in technical cybersecurity. I always struggle to answer this question, since the list of suitable introductory books on technical cybersecurity is quite small. What do I mean with “suitable” in this case?
- An introduction to technical cybersecurity should be suitable for readers from any profession. Thus, the authors must have assumed that the reader has no prior knowledge on technical cybersecurity and does not have an academical background in technology.
- An introduction to technical cybersecurity should be relevant to readers with a professional interest, e.g., an IT manager or executive, or even a business leader. Thus, the author should link technical cybersecurity to business goals relevant for this audience, such as continuity of business, or risk minimization.
- An introduction to technical cybersecurity should be “stand alone”, in the sense that the reader should be able to grasp the content without a need to study secondary literature.
When looking around for books fulfilling these criteria, I came across the 2nd edition of “Cloud Computing with Security”, by N.K. Sehgal, P.C.P. Bhatt, and J.M. Acken. I decided to review it, even though the book is a university textbook, since the authors aimed to make it relevant to IT managers and SW developers, as well as university students. Thus, I considered it a potential candidate for my list of introductory books to technical cybersecurity.
“Cloud Computing with Security” provides a very broad perspective on the topic, starting with a general introduction into the evolution of cloud computing over time, basic cloud computing concepts and cloud features, and cloud management (Chapter 1-6). An introduction to information security and information security issues in the cloud is given in Chapter 7. Practical issues of working with cloud environments, such as migrating to the cloud, and cost and billing, are covered in Chapters 8-10.
Chapter 11 introduces more advanced security considerations for cloud environments, such as security issues prevalent in Edge Computing and IoT environments. Chapter 12 covers Big Data and analytics functionality in public cloud environments, and Chapter 13 gives an outlook to future trends in cloud computing, and emerging security issues. The remainder of the book (Chapters 14 and 15) are aimed towards university students and contain tests and suggestions for cloud computing projects.
The authors clearly met their target to cover the topic of cloud computing and security end-to-end. Few topics come to mind that have not been at least mentioned in general or outlined on a high level. The breadth of topics is a clear strength of the book, but it lays the foundation for a certain weakness as well, since it is not possible to cover all these topics in detail in a 250-page book. When coming across an interesting topic, it is often necessary to revert to secondary literature to study that topic in detail.
A good example is the introduction of security scenarios in Chapter 7.7. This Chapter introduces a concept to describe security scenarios through interaction of nicknamed participants with pre-defined roles. The same concept is used throughout the book to describe various security scenarios, e.g. in Chapters 7.8, 7.11, and 11.1. The concept is introduced very briefly, so that a reader already familiar with it can easily recognize and remember it, but a reader without prior familiarity with the concept will have a hard time grasping it, and will probably have to revert to secondary literature. This is suitable for an academic reader but might be tedious for an IT professional with limited time to review a subject.
The depth of coverage varies greatly between topics, and it is sometimes difficult to understand why the authors chose to cover certain topics in detail. For example, the book spends several pages on the problem of authenticating users based on speaker voice (Chapter 11.6), which I would not consider very relevant, given the inherent security issues of such an authentication method. The introduction of authentication as a general concept (Chapter 7.4) is significantly shorter. The relevance of identifying and authenticating a user by his voice is thus greatly exaggerated, and other, technically more mature methods of biometric authentication are not mentioned at all.
As mentioned before, the book introduces a wealth of cloud computing concepts, and security issues for consideration when using cloud, especially public cloud. It does, however, often not offer solutions to the security issues introduced. Here, again, it can be expected from an academic reader to discover such solutions through further study of secondary literature, but professionals gain little practical help with the technical security issues they face in their day-to-day work from reading this book.
As much as I would like to recommend “Cloud Computing with Security” as an introduction to technical cybersecurity in the cloud to IT professionals, I must admit that the book is unfortunately not suitable to such an audience. It does not fulfill several of the criteria outlined above. While the book is fully suitable to a reader without prior knowledge of cybersecurity and/or technology, most content has no immediate relevance for a professional reader. The book can hardly be read “stand alone”, and readers will have to rely heavily on secondary literature.
I do not wish to judge the book unfairly. It has been written with an academic audience in mind and is valuable in that context. It is a good starting point for university students beginning their education in cloud computing and the associated cybersecurity issues who seek a general introduction.