It's been a pet peeve of mine for a while (gosh, while I was writing that I just flashed on Andy Rooney doing his weekly 60 Minutes bit... read it in his voice, it's eery; I'd better watch myself) that among the various deficits with which detractors label cloud computing, security is almost always on the list. Leaving aside the fact that security is a pretty ephemeral concept which has a great deal to do with cost/benefit tradeoffs and is almost never an absolute, it seems to me that these people are simply taking advantage of a sort of logical trope that most people are hardwired with: online means stuff is shared with other people! It's all on the same computer! My god, they could just reach right over whatever feeble little wall is there and get all our stuff!

This was a real obstacle to e-commerce at first, and perhaps still is in some circles, but by and large most of us have figured out that there are sufficient safety mechanisms in place that our world will not crumble if we use our credit card to order a new toaster off Amazon. So it astounds me that the same people who will quite willingly do that, and even applaud it, will simply smear shared resource computing with the same sort of theoretical vulnerability.

But Dana Gardner has finally gotten some industry professionals together to talk about it, and the resulting podcast and highlights are posted here. Luminaries including Glenn Brunette and Chris Hoff hold forth on the topic and get into far more practical and realistic discussions of the subject than you tend to find elsewhere (of course, most of the panel participants are cloud advocates; I'd like to see a real debate between them and the skeptics some time). Being in bandwidth-challenged waters right now, I'm not able to listen to the complete podcast, but I was encouraged by Gardner's summary. The group wanders, as groups do, but along the way they point out that the real challenge right now is not so much that cloud security is worse than on-premises IT security, but that it is less explored; most people don't know enough about it right now to evaluate it, certainly not comparatively, and that may be the real knock against cloud solutions when compared with their on-premises counterparts. Auditing third-party systems for security compliance is not a completely unknown problem in the IT world, but doing so on such a grand scale is unheard of, and monolithic vendors such as Amazon and Google are not used to operating in such a way as to allow clients to do so.

As is often the case, I think the market is ahead of the debate in this matter. Enterprise customers are adopting cloud solutions as they make sense, in dribs and drabs, and are working out issues such as security and integration as they go. The answers to the questions posed above are no doubt already being formulated in many IT departments and by consultants. By the time the debate comes to a head, it may already be old news.