.

Single Sign On for Cloud Services

2011-02-19T18:52:00.000-05:00

RSA (the security division of EMC) is looking to launch two new services in the second half of this year: an Identity service and a Compliance service.

The Identity service is SSO for cloud services, using RSA SecurID technology.

The Compliance Profiling Service will allow businesses to determine conformance on best practices, as defined by the Cloud Security Alliance.

Google vs JCPenny on search

2011-02-13T13:51:00.000-05:00

JCPenney gamed Google's search engine for months. Google has now taken "corrective action". The NYTimes has an extensive article on the matter.

Two Factor authentication comes to Google

2011-02-13T13:39:00.001-05:00

Familiar with two-factor authentication, whereby a PIN is generated and sent to a mobile device? It's been used in enterprise for some time, but is now becoming popular in the consumer market. Google is now offering two-factor authentication. One quirk: you need unique per-application passwords, which could lead to users writing down passwords. Techcrunch has the story

eBay to open source some SOA technology

2011-02-05T18:38:00.000-05:00

eBay is now open sourcing Tumeric, a policy-driven SOA platform where you can develop and deploy SOA services. Tumeric is Java based, standards based (WSDL, SOAP, XML, JSON, XACML, REST), and supports a variety of protocols and data formats. Eclipse plugins will help with the development of service providers and consumers.

Security services and a monitoring console with policy administration will be included.

There are no dependencies on internal eBay applications.

Using EC2 to hack WPA-PSK

2011-01-16T17:33:00.002-05:00

I've previously blogged that the cloud is great for hackers. Computing power cheaper and more available than ever before. And now German security researcher Thomas Roth has used EC2 to hack WPA-PSK, running through 400,000 possible passwords per second (almost assuredly using GPUs). These machines would typically cost tens of thousands of US dollars. Or pay about 30 cents/minute with Amazon. The full article: Cloud computing used to hack wireless networks

Treasury Dept moves to AWS

2011-01-16T17:19:00.000-05:00

The Treasure Department is moving 4 existing site to Amazon Web Services. Moving to AWS: Treasury.gov, SIGTARP.gov, MyMoney.gov, and TIGTA.gov. Congrats to Smartronix who was awarded the contract.

Physical security of your cloud

2010-12-05T14:14:00.002-05:00

We often focus on the technological security issues of cloud computing. We should also be thinking about physical security. I've set foot in many datacenters, some of which featured impressive physical security measures (armed guards, series of entry barriers, etc). Others have been lacking in comparison.

Too often, companies fail to do their due diligence on physical security when choosing a cloud provider. Some questions to ask: does your provider have 24/7 armed security (and how many guards), access control systems/procedures, number of independent power sources, fire supression systems, etc.

To illustrate, the Bahnhof Bunker takes physical security to another level.

Clouds and politics don't mix

2010-12-05T13:22:00.002-05:00

It happened sooner than I thought. A cloud provider caught in an unwinable situation. Amazon this week hosted, and then unhosted, Wikileaks. On a technical level, experts questions whether AWS could handle distributed denial of service attacks. Social media users shared the "close your Amazon account" link -- Amazon lost customers and its good image to a portion of their customers. Many who support Amazon are still wary of the government pressure to remove.

You can envision other scenarios...hackers using cloud computing power to hack passwords or servers, to power DOS attacks, to power sites some find offensive. Wikileaks forces cloud providers to confront a host of unwanted legal, political and media issues.

The removal of Wikileaks from AWS had little effect, the site is mirrored on dozens of site, and Wikileaks is successfully using Twitter to broadcast its message along with links to such mirrors. If anything, we saw the Barbara Streisand effect yet again.

Twitstant solves short URL problem

2010-11-28T16:58:00.001-05:00

Twitter instant search site Twitstant has solved the frustrating problem of short urls (ie, where is this link taking me?) When you hover over any short url on Twitstant, a lightbox appears with both the expanded URL and a screen shot preview of the site. Simple but innovative.

Medicare to the cloud

2010-11-28T16:48:00.001-05:00

Centers for Medicare & Medicaid Services (CMS) is migrating to the cloud in a 78-month deal with CSC valued at $230 MIL. There is a 6 month initial period, followed by 6 one year options. The one year options is typical of government contracts. CSC had previously announced partnerships with Google and Amazon to provide cloud-based services to clients. A larger number of cloud deals is already replacing yesterday's mega-deals.

USG Taking "Cloud First" approach to IT

2010-11-28T16:39:00.001-05:00

The US Government is requiring a Cloud First approach to IT as part of the 2012 budget process. Jeffrey Zients, chief performance officer at the Office of Management and Budget, discusses "a new strategy to fundamentally change how the federal government purchases and uses IT". Cost is a motivating factor in the decision, but cloud computing does not always result in cost savings. Many cloud computing projects, in fact, have been a money sink.

AWS offering GPU on the cloud

2010-11-20T17:11:00.001-05:00

Amazon has added a new Cluster GPU instance to its Elastic Compute Cloud (EC2) platform, which provides scalable computing capacity in the cloud.

The GPU Quadruple Extra Large Instance has a pair of Nvidia Tesla M2050 Fermi GPUs, each of which has 448 cores and 3 GB of RAM. You can use up to 8 GPUs in a cluster (need to ask Amazon if you want more).

This computing power does not come cheap: $2.10/hour or .75/hour if you pay an upfront fee of $5k/year.

Cloud computing helping password hackers

2010-11-20T16:56:00.000-05:00

Security remains one of the top issues facing companies using or providing cloud computing. Here's one use you might not have thought of: using cloud computing resources to speed password hacking. TechWorld writes about this very subject. The article does not cover legal issues surrounding. If a site is hacked using computer resources from AWS, for example, would AWS have any legal exposure? Attorneys, please weigh in!

Amazon Web Service Free Tier

2010-10-23T18:15:00.008-04:00

Amazon has finally added a free service tier to compete with Google's App Engine. Beginning November 1st, Amazon users can run a free EC2 Micro Instance usage for a year. The free tier, however, is on underpowered machines: 750 hours/month on 613 MB memory, 32-bit and 64-bit platform support. The free quota limits are good:

10 GB of Amazon Elastic Block Storage, plus 1 million I/Os, 1 GB of snapshot storage, 10,000 snapshot Get Requests and 1,000 snapshot Put Requests

5 GB of Amazon S3 storage, 20,000 Get Requests, and 2,000 Put Requests

30 GB per of internet data transfer (15 GB of data transfer “in” and 15 GB of data transfer “out” across all services except Amazon CloudFront)

It's enough to run your mashup for a year for free. But after one year, you pay Amazon's normal rates. With GAE now supporting SQL (in the past, folks have complained about a 'lock-in' factor with BigTable), we see no reason to use the Amazon Free tier. Google's free limits are generous, and they don't expire after a year. Here is an outside look at Amazon vs GAE.

Twitstant - Search Twitter instantly

2010-10-23T17:58:00.000-04:00

Google's Instant search has been wildly popular - resulting in a rush to "instantize" other sites. My favorite: Twitter instant search by Twitstant Twitstant uses the popular JQuery framework and Twitter's RESTful API to create a simple, yet brilliant instant search capability. With focus set on the search box and no "search" button, you simply cannot search Twitter faster.

Cloud Computing Deep Dive Report

2010-09-19T15:44:00.000-04:00

Cloud computing is transforming data centers. I highly recommend the Cloud Computing Deep Dive report The 21 page report from InfoWorld discusses how critical resources are sourced and deployed. Security and governance models change. Power and management requirements are altered. If you are transforming your business' data center into the private cloud model, this report is a good starting point.

Mule 3 - Cloud Connect

2010-09-19T15:33:00.000-04:00

Mule 3 is out and they have jumped on the cloud computing bandwagon.

The Mule Cloud Connect supports Amazon AWS, Salesforce, and Facebook. Mule 3 supports for JSON data bindings and mapping, JAX-RS, and OAuth in its core functionality. More interestingly, Mule 3 will allow subscriptions to ESB events directly, although most security infrastructures will not allow JQuery to subscribe directly to ESB events.

A big focus on Mule 3 has been ease of use, meaning less cost for businesses in terms of development time, deployment, and maintenance.

AWS $500 MIL revenue 2010, 2.5 BIL by 2014

2010-08-08T15:51:00.000-04:00

Amazon hosts 6 to 8 of top 10 games on Facebook, including FarmVille. That helped AWS generate $500 MIL in revenue for 2010. Amazon's growth has had some bumps, with users occasionally unable to login to FarmVille. Even so, AWS will see huge growth according to UBS analysts Brian Pitz and Brian Fitzgerald. Their estimates: $750 MIL in 2011, $2.5 BIL in 2014.

Google, MSFT spin Cloud security to Feds

2010-07-05T10:58:00.001-04:00

How good is security on the cloud? It's as good as your cloud provider. It's a lesson for Mike Bradshaw, director of Google's federal government group. He recently testified "The cloud enhances security by enabling data to be stored centrally with continuous and automated network analysis and protection." True, but what if Google makes those private documents on the cloud public? Microsoft was more realistic when discussing security in the cloud, stating the cloud "presents new security, privacy and reliability challenges, which raise questions about functional responsibility (who must maintain controls) and legal accountability (who is legally accountable if those controls fail)." Information Week has the full details.

Twitter: 75% traffic from REST API

2010-07-05T10:44:00.001-04:00

I was surprised to hear that 75% of Twitter traffic comes from the REST API. Surprised because I thought the number would be even higher. Twitter has slashed API limits in half across the board (even for its own official apps). Currently the public API rate stands at a miniscule 75/hour. The Fail Whale problem has been Twitter's own doing: they clearly should not have been making significant network changes as the World Cup started. They have not recovered and it's been an embarrassing month. Take a look at status.twitter.com (note: they aren't posting all the errors, the real picture is worse).

Census on the Cloud

2010-04-07T00:25:00.000-04:00

The census bureau is building up cloud infrastructure for the 2020 census. Current census technology is (not surprisingly) lagging - for example, they are just now moving to virtualize their Linux environment. The 2010 census has also been plagued with database performance problems.

Twitter - how not to manage RESTful services

2010-01-14T17:06:00.000-05:00

Dear Twitter,

If you are going to return different JSON in your RESTful services, please tell your users in advance.

....

Versioning and life cycle management of your services is crucial for clients. Developers of Twitter based applications are quite aware of this. Once again, Twitter changed the JSON response of some RESTful services at the usual time of 8PM PST. Of course, it broke our popular Twitter application. Twitter's RESTful services often change at a whim (not the actual call, but the format of the JSON response)

The cost? Development time to track down this unanticipated problem. But mostly, a usability cost (as in potential lost new users) as our application was not properly updating over night until we fixed the issue.
.....

The moral of the story for all Web Service developers is that the versioning of your services is crucial and should be a part of service deployment from the start.

CA buys Oblicore to manage cloud services

2010-01-14T16:52:00.000-05:00

CA has acquired Oblicore, which has built service-level management technology. CA wants to develop service management capabilities for customers looking to manage cloud computing environments. Oblicore is known for their real time service performance monitoring. It's a good buy for CA.

MSFT cloud computing unit

2009-12-18T09:07:00.001-05:00

Microsoft, lagging far behind IBM and Oracle (excluding Sharepoint, often used for the SOA consumer), is starting a cloud computing unit. MSFT should have done this long ago, but I believe MSFT will need to make a few major acquisitions to compete with IBM and Oracle. Microsoft to start SOA unit

Twitter hacked again - SOA security

2009-12-18T08:39:00.001-05:00

Twitter has been hacked again.. It's another black eye for Twitter's security and overall reliability. Twitter's problems should be a lesson for all SOA providers. While Twitter's data is likely limited to e-mail accounts, secure services often have critical data that can be compromised. SOA, in addition to the usual security issues, has addition security risks such as replay attacks.