Domain: cloudsecurityalliance.org
Stories and comments across the archive that link to cloudsecurityalliance.org.
Stories · 4
-
Book Review: Testing Cloud Services: How To Test SaaS, PaaS & IaaS
benrothke writes "David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computing last year that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements. While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaS is the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective." Read on for the rest of Ben's review. Testing Cloud Services: How to Test SaaS, PaaS & IaaS author Kees Blokland, Jeroen Mengerink, Martin Pol pages 184 publisher Rocky Nook rating 9/10 reviewer Ben Rothke ISBN 978-1-937538-38-5 summary Brings to light the imperative of testing cloud services before deployment The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.
It is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.
The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.
Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.
In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.
An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.
About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.
An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.
In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.
Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.
With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.
The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative (CAI) questionnaire.
With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaS should be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.
Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.
Reviewed by Ben Rothke.
You can purchase Testing Cloud Services: How to Test SaaS, PaaS & IaaS from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Testing Cloud Services: How To Test SaaS, PaaS & IaaS
benrothke writes "David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computing last year that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements. While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaS is the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective." Read on for the rest of Ben's review. Testing Cloud Services: How to Test SaaS, PaaS & IaaS author Kees Blokland, Jeroen Mengerink, Martin Pol pages 184 publisher Rocky Nook rating 9/10 reviewer Ben Rothke ISBN 978-1-937538-38-5 summary Brings to light the imperative of testing cloud services before deployment The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.
It is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.
The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.
Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.
In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.
An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.
About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.
An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.
In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.
Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.
With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.
The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative (CAI) questionnaire.
With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaS should be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.
Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.
Reviewed by Ben Rothke.
You can purchase Testing Cloud Services: How to Test SaaS, PaaS & IaaS from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Testing Cloud Services: How To Test SaaS, PaaS & IaaS
benrothke writes "David Mitchell Smith wrote in the Gartner report Hype Cycle for Cloud Computing last year that while clearly maturing and beyond the peak of inflated expectations, cloud computing continues to be one of the most hyped subjects in IT. The report is far from perfect, but it is accurate in the sense that while cloud computing is indeed ready for prime time, the hype with it ensures that too many firms will be using it with too much hype, and not enough reality and detailed requirements. While there have been many books written about the various aspects of cloud computing, Testing Cloud Services: How to Test SaaS, PaaS & IaaS is the first that enables the reader to successfully make the transition from hype to actuality from a testing and scalability perspective." Read on for the rest of Ben's review. Testing Cloud Services: How to Test SaaS, PaaS & IaaS author Kees Blokland, Jeroen Mengerink, Martin Pol pages 184 publisher Rocky Nook rating 9/10 reviewer Ben Rothke ISBN 978-1-937538-38-5 summary Brings to light the imperative of testing cloud services before deployment The book is an incredibly effective and valuable guide that details the risks that arise when deploying cloud solutions. More importantly, it provides details on how to test cloud services, to ensure that the proposed cloud service will work as described.
It is a great start to the topic. The 6 chapters detail a paradigm that cloud architects, managers and designers can use to ensure the success of their proposed cloud deployments.
The first two chapters are a very brief introduction to cloud computing. In chapter 3, the authors detail the role of the test manager. They write that the book is meant to give substance to the broadening role of the test manager within cloud computing. They encourage firms to make sure the test manager is involved in all stages of cloud computing; from selection to implementation. In fact, they write that it is only a matter of time until this service will be available in the cloud, in the form of TaaS – Testing as a Service.
Besides the great content, the book is valuable since it has many checklists and questions to ask. One of the reasons cloud hype is so overly pervasive, is that the customers believe what the marketing people say, without asking enough questions. It would have been an added benefit if these questions and checklists would be made available in softcopy to the reader.
In chapter 4, the book details performance risks. As to performance, an important aspect of selecting the correct cloud provider is scalability of the service. This then requires a cloud specific test to determine if the scaling capacity (also known as elasticity) of the provider will work efficiently and effectively in practice.
An extremely important point the authors make is that when choosing a cloud service, many firms don't immediately think of having a test environment, because the supplier will themselves test the service. The absence of a test environment is a serious risk.
About 2/3 of the book is in chapter 5 – Test Measures. The chapter mostly details the test measures for SaaS, but also does address IaaS and PaaS testing. The chapter spends a lot of time on the importance of performance testing.
An important point detailed in the chapter is that of testing elasticity and manual scalability. This is an important topic since testing elasticity is a new aspect of performances testing. The objectives of elasticity tests are to determine if the performance of the service meets the requirements across the load spectrum and if the capacity is able to effective scale. The chapter details various load tests to perform.
In the section on guarantees and SLAs, the authors make numerous excellent points, especially in reference to cloud providers that may guarantee very high availabilities, but often hide behind contract language. They provide a number of good points to consider in regards to continuity guarantees, including determining what is meant exactly by up- and down-time; for example, is regular maintenance considered downtime or not.
Another key topic detailed is testing migration. The authors write that when an organization is going to use a service for an existing business process, a migration process is necessary. This includes the processes of going into the cloud, and backing the service out of the cloud.
With all of the good aspects to this book, a significant deficiency in it is that it lacks any mention of specific software testing tools to use. Many times the authors write that "there are many tools, both open source and commercial, that can" but fail to name a single tool. The reader is left gasping at a straw knowing of the need to perform tests, but clueless as to what the best tools to use are. Given the authors expertise in the topic, that lacking is significant.
The only other lacking in the book is in section 5.3 on testing security, the authors fail to mention any of the valuable resources on the topic from the Cloud Security Alliance. Specifically the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative (CAI) questionnaire.
With that, Testing Cloud Services: How to Test SaaS, PaaS & IaaS should be on the required reading list of everyone tasked with cloud computing. This is the first book to deal with the critical aspect of testing as it related to cloud computing. The ease of moving to the cloud obscures the hard reality of making a cloud solution work. This book details the hard, cold realities of turning the potential of cloud computing, in the reality of a working solution.
Had the designers of the Obamacare website taken into consideration the key elements of this book, it is certain that the debacle that ensued would have been minimize and the administration would not have had to send out a cry for help. The Obamacare website will turn into the poster child of how to not to create a cloud solution. Had they read Testing Cloud Services: How to Test SaaS, PaaS & IaaS, things would have been vastly different.
Reviewed by Ben Rothke.
You can purchase Testing Cloud Services: How to Test SaaS, PaaS & IaaS from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: Locked Down: Information Security For Lawyers
benrothke writes "Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy. In numerous places, the book notes that lawyers are often clueless when it comes to digital security. With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers." Read below for the rest of Ben's review. Locked Down: Information Security for Lawyers author Sharon Nelson, David Ries, John Simek pages 319 publisher American Bar Association rating 9/10 reviewer Ben Rothke ISBN 978-1614383642 summary Required reading for all lawyers Such a title is needed as the legal field has embraced digital technology. Wireless (often insecure) networks are pervasive in corporate offices throughout legal America.
The underlying problem is that while attorneys often know the intricacies of tort law, court proceedings and the like; they are utterly unaware of the information security and privacy risks surrounding the very technologies they are using. In many firms, the lawyers think that someone is protecting their data, but don't understand their requirements around those areas of data protection.
Legal IT systems are a treasure trove of personal data. Many small law firms are extremely attractive to identity thieves gives their systems have significant amount of personal information via social security numbers, credit card information, birth dates, financial information and much more. Small law firms are notorious for weak information security controls and attackers will scan those systems and networks for vulnerabilities.
A pervasive aspect of the book is ABA rule 1.6 regarding the confidentiality of information regarding client-lawyer relationships. The rule requires that a lawyer not reveal information relating to the representation of a client unless the client gives informed consent. The lawyer though can reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary. The myriad details of 1.6 can be left to the bar association to enforce, suffice to say that a lawyer can find themselves on the wrong side of the law if they are not careful with information security controls.
The authors note that although lawyers are all well aware of rule 1.6, the challenge is how to keep client data secure in the digital age. In a world of paper, things were much easier and cheaper This is why the authors note that so many otherwise competent layers fails so miserably in reference to their duty to maintain the confidentiality of digital client data.
The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach. It is figures like those which show that attorneys really need to read this book and take the information to heart.
The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices. Written in an easily understandable style and non-technical for the technologically challenge lawyer.
When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don't want to touch with a ten-foot pole. But it has reached a point where attorneys must understand how and when encryption should be used. Just as important, they need to know about key managements, and what good encryption is. The chapter provides a high-level detail on what needs to be done regarding encryption.
Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.
Chapter 14 on outsourcing and cloud computing is an area where too many attorneys are oblivious to of the security and privacy risks. For example, the authors advise attorneys against the use of the free Gmail service since the terms of service allow Google to do anything it wants with the data. That opens a Pandora's Box when it comes to securing client data. The authors advise to use premium Google business versions, so attorneys can stay in control of their data with added security and privacy features.
Two omissions in chapters 13 and 14 are that the authors don't reference NAID (National Association for Information Destruction) or the CSA (Cloud Security Alliance (CSA).
Firms that outsource their digital disposal to non-NAID certified firms run the risk of having a glorified recycler do their work. As to NAID, it is an international trade association for companies providing information destruction services. NAIDs mission is to promote the information destruction industry and the standards and ethics of its member companies; while the mission of the CSA is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.
The authors include many real-world stories and case law to reinforce their point.
The book closes with a number of appendices on various rules from the FTC, state information protection regulations, the SANS Institute glossary of security terms and more.
For the lawyer looking for an easy to read introduction to nearly everything they need to know about information security and privacy, the book is a great resource.
The book closes with the note that since lawyers have an ethical duty to protect their client's data, they have no choice but to keep themselves as well educated as possible.
For the attorney that wants to ensure their requirements remain current and are looking for an easy to read introduction about information security and privacy Locked Down: Information Security for Lawyers should be considered required reading.
Reviewed by Ben Rothke.
You can purchase Locked Down: Information Security for Lawyers from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.