Security is one of the first things businesses mention when discussing fears about cloud computing. Cloud computing represents a loss of control for customers and these fears are therefore very valid.
From the inside of a cloud infrastructure provider looking out, it's all too easy to see all the things you have done to secure your infrastructure and dismiss these fears. You "know" your infrastructure is secure, you appreciate the pains you have gone through in securing it, and you want your customers to trust that you have created a secure environment.
So let's start with the nonsensical idea that your cloud infrastructure is secure.
Your cloud infrastructure is likely secured with respect to some requirements, but it's just as certain to be insecure for other requirements. The cloud has nothing to do with this. Every infrastructure on the planet is secure for some requirements and insecure for others.
As I stated in a prior blog posting, a cloud infrastructure can be made secure for most business needs. To determine whether a given cloud infrastructure will meet your business requirements, however, you need to know a number of things about your cloud infrastructure provider. In short, you need transparency.
The absolute worst thing I have seen from a cloud infrastructure provider on the cloud security front is this interview by Craig Balding from last year with Guido van Rossum, creator of Python and a member of the Google AppEngine (GAE) team. The article is filled with valid security questions that van Rossum answers with "No comment" equivalents.
Here's my chief recommendation when it comes to cloud security: If your cloud provider refuses to answer any specific question about their security architecture related to your security requirements, run—don't walk—away from that vendor.
There are exceptions. Overly broad questions and questions not related to specific requirements may simply not be answerable without a concrete context. Ultimately, however, the cloud provider must be able to match your specific security needs.
I don't mean to pick on GAE. Cloud infrastructure providers as a whole have been way too evasive when it comes to security questions. They may be evasive because of a genuine—if rarely valid—concern that exposing the details may encourage attacks. It's also possible that they are worried the answer is not good enough. It's hard or impossible for you as a customer of cloud services to distinguish between the two. The important thing is simply that you must know that your deployment architecture meets your requirements.
It's a critical part of your security due-diligence to demand transparency from your cloud providers.