Why focus on Encryption?
I'm apparently an Information Security Professional. And concerned about Cloud; not because of the technology or technical impacts - just like PKI - it all seems to be fine. I'm more concerned about the non technical aspects: risk, accountability, reliability, legal and privacy implications (just what killed off "Big PKI").
I have one of my auto-rants around this topic at http://www.pingudownunder.com/2011/05/04/simon-harveys-answer-to-what-are-common-concerns-about-adopting-cloud-computing/ and and more than happy to stand corrected.
A recent CIO.com article quoted this is the cruicial point: "This is what shared responsibility implies—both parties have to step up to the security aspects in their control, and failing to do so means the application is not going to be secure. Even if the CSP does everything correctly for portions of the cloud application within its control, if the application owner fails to implement its security responsibility correctly, the application is going to be insecure. "
My issue is that given the immense hype, marketing and over-simplistic sales pitch by Cloud/IT Vendors, they ignore their own responsibilities. And the market they are selling to - CEOs - incorrectly assume that security is no longer their issue. At least with traditional IT Outsourcing, the Rs & Rs was clear - contractually - about who is responsible for what. I have yet to see this in the Cloud world.
Looking at the Amazon Web Services downtime over Easter, the default compensation from AWS to customers was 10 days hosting credit. I wonder if this fully compensates the the business loss incurred by their customers - and how many of them had DR/IT BCP plans in place.
Don't get me wrong ... similar to other "innovations" like SOA, BPO, BPM, Outsourcing, NearSourcing, Offshoring, NearShoring, and so on; I do like the promise of "Cloud" and can see many benefits; i just don't like its execution by the IT Industry.
And I strongly believe that you cannot assume, or belive the marketing hype, that Security becomes a non-issue. Ultimate responsibility for security and risk management remains that of the Customer - and they need to select the appropriate CSP which provides them with the most appropriate level of controls to their needs (insurance, contractual limtations/compensation, technical and policy monitoring/evaluation, etc).
Case in point: El Reg's reporting of the Virgin Blue downtime seems to indicate that they have good contractual obligations on Navitaire - i.e. the airline is due to be fully compensated for actual losses, including compensation given to VB's customers, plus additional charges on their IT Service Provider. I can't see anything approaching near this in the "Retail Cloud" space (e.g. Amazon, Google, Rackspace") ...