RSA (the security division of EMC) is looking to launch two new services in the second half of this year: an Identity service and a Compliance service.

The Identity service is SSO for cloud services, using RSA SecurID technology.

The Compliance Profiling Service will allow businesses to determine conformance on best practices, as defined by the Cloud Security Alliance.
JCPenney gamed Google's search engine for months. Google has now taken "corrective action". The NYTimes has an extensive article on the matter.
Familiar with two-factor authentication, whereby a PIN is generated and sent to a mobile device? It's been used in enterprise for some time, but is now becoming popular in the consumer market. Google is now offering two-factor authentication. One quirk: you need unique per-application passwords, which could lead to users writing down passwords. Techcrunch has the story
eBay is now open sourcing Tumeric, a policy-driven SOA platform where you can develop and deploy SOA services. Tumeric is Java based, standards based (WSDL, SOAP, XML, JSON, XACML, REST), and supports a variety of protocols and data formats. Eclipse plugins will help with the development of service providers and consumers.

Security services and a monitoring console with policy administration will be included.

There are no dependencies on internal eBay applications.

I've previously blogged that the cloud is great for hackers. Computing power cheaper and more available than ever before. And now German security researcher Thomas Roth has used EC2 to hack WPA-PSK, running through 400,000 possible passwords per second (almost assuredly using GPUs). These machines would typically cost tens of thousands of US dollars. Or pay about 30 cents/minute with Amazon. The full article: Cloud computing used to hack wireless networks
The Treasure Department is moving 4 existing site to Amazon Web Services. Moving to AWS:,,, and Congrats to Smartronix who was awarded the contract.
We often focus on the technological security issues of cloud computing.  We should also be thinking about physical security.  I've set foot in many datacenters, some of which featured impressive physical security measures (armed guards, series of entry barriers, etc).  Others have been lacking in comparison.

Too often, companies fail to do their due diligence on physical security when choosing a cloud provider.  Some questions to ask:  does your provider have 24/7 armed security (and how many guards), access control systems/procedures, number of independent power sources, fire supression systems, etc.

It happened sooner than I thought.  A cloud provider caught in an unwinable situation.   Amazon this week hosted, and then unhosted, Wikileaks.   On a technical level, experts questions whether AWS could handle distributed denial of service attacks.    Social media users shared the "close your Amazon account" link -- Amazon lost customers and its good image to a portion of  their customers.   Many who support Amazon are still wary of the government pressure to remove.

You can envision other scenarios...hackers using cloud computing power to hack passwords or servers, to power DOS attacks, to power sites some find offensive.    Wikileaks forces cloud providers to confront a host of unwanted legal, political and media issues.

The removal of Wikileaks from AWS had little effect, the site is mirrored on dozens of site, and Wikileaks is successfully using Twitter to broadcast its message along with links to such mirrors.   If anything,  we saw the Barbara Streisand effect yet again.