It seems that cloud security is a hot topic these days. I was in Cedar Rapids last week at the chapter meeting for both the Institute of Internal Audit (IIA) and Information Systems Audit and Control Association (ISACA) presenting on cloud security and audit issues. I'll also be presenting to the Des Moines chapter of the Information Systems Security Association (ISSA) meeting today about the same topic. If you'd like a copy of the presentations feel free to contact me.
The "cloud" is a touchy subject when it comes to security. Some companies are wholeheartedly embracing it while others are running from it. Which it the right approach? That really depends on one thing. Control. How much does it mean to you and how much are you willing to spend to keep it. Everybody assumes that data is less secure in the "cloud". I'd argue that thinking is really more of a control issue. Many cloud providers, not all mind you, have top notch security programs and systems which far exceed what many small to medium companies can afford on their own. In that respect security is better. However if you measure security by other matrix such as access control, the security value may be weakened. Long story short. You must define what "secure" means and then compare your security to a cloud provider's security. Only then will you know which road to follow.