Welcome to OUR GLOBAL IT COMMUNITY.

And yet still today we are constantly reading stories of companies losing laptops with customers social security #s, insecure coding allowing hackers to find credit card information and personal information, etc. All of these companies are supposed to have strategies and security policies in place, but they all break down when one person doesnt follow them. Now, do not get me wrong, I am not one of those people who refused to shop on the Internet. I do, though, think the Internet is a very insecure place and you should pick and choose who you give private information too.

As for clouds, my concern is less with the information flowing over the Internet, but more towards the fact that when companies utilize a cloud provider to store proprietary data or client's personal information they are exposing themselves to greater risk then if they host it themselves. There are just too many factors that are out of their control once the data is stored elsewhere. Strategies could be made and policies created, but ultimately you never know if they are actually following what they preach. If just one person decides to break policy, the entire policy is out the window and your data is at risk. For data that is not sensitive, then I see no issue with it. Cloud applications have the ability to greatly reduce operation costs and increase uptime and availability. It's just the sensitive data that I am concerned about.

Lawrence, you bring up some superb points, but let me play devil's advocate for a moment: Couldn't most of the arguments you make also apply to using the Internet for data transfer rather than a leased-line network? I can, in fact, remember just those arguments being made shortly after the Internet was opened to commercial traffic in the '80s.
Technology was developed to allow data to safely transit the Internet; isn't it possible that technologies and strategies will be developed to allow safe data processing and storage in the cloud?
It's possible I'm too optimistic on this front (it wouldn't be the first time), but I just have to believe that cloud security is a solvable problem -- even if it isn't yet a solved problem.

As far as I am concerned, if you have sensitive, confidential, or proprietary data, it should never be hosted in a cloud environment. This type of data is meant to be secured in such a manner that you have explicit control over how it is protected, stored, backed up, and accessed. By adding this data to a Cloud environment you lose control over all of these factors.

Once your, or your clients, data is being managed by a third-party company you no longer have any say as to how this data is protected. For example, how do you know who "really" has access to this data, how backups are being done, what security infrastructure, such as nids and firewalls, are in place, and the encryption that is being used. Another major issue is that your sensitive data is now going to be flowing over numerous pipes, whether internally in the cloud, or over the Internet. New techniques for breaking encryption are being created daily and by allowing sensitive data to be sent through "public" pipes, you run the risk of this data being sniffed.

In my opinion, sensitive data should only be hosted on servers that are completely under your control. Furthermore, this data should also only be transmitted through point-to-point pipes directly between you and your servers, thus eliminating the risk of someone sniffing your data.

John, I agree with your statements about the availability of infrastructure tools to secure transactions. My question is more about data transit: Do you trust the currently-available tools to secure data in transit between services, or between local systems and the cloud? I have thoughts on this, but I'm eager to see what the community thinks...

I believe that cloud computing can be as secure as enterprise systems behind the corporate security shield.
1. There is no reason why a cloud provider can not deploy the same firewalls, monitors, passwords around the virtualized environment holding a companies apps/data. Dynamic allocation of resources may require some additional security to avoid penetration but that should not introduce excessive risk.
2. Corporations already allow other entities to hold things of value (money or information) under a business model that indemnifies them for loss. The same should hold for a cloud provider.