Both for Amazon's service and for our basic hypervisors, we no longer control ingress to the machine processing space. In the case of Amazon, it is Amazon's routers (and presumably firewalls). In the case of our virtual machine managers, we relegated the inter-memory systems and processes to the handling of a "black box," one that we seldom, if ever, have any control over. These are security problems and I also believe that these are legal problems. Allow me to explain.

What happens if and when data that we store or process on a virtualized machine gets compromised? Will we know? If WE do not know, how will we notify our constituents, especially when data breach notification laws are in place? How will we know to improve our security?

These are not idle words. If you look at the Amazon contract (and this is an example only, I do not wish to "pick on" Amazon, which I appreciate and respect), you will see the following sentences:

"4.3: We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services."

"7.2: We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications."

What you do not see is that the provider accepts any responsibility or duty to inform the data owner, you, of any breach, notify you of any attempt, nor responds to any incident. The agreements are worded such that the customers' of Cloud computing bear all responsibility for such risks. It therefore appears that any law requiring breach notification, and any regulation or requirement, such as PCI, cannot be complied with.

Since the concern above is present, and understanding the incredible potential of cloud computing to improve the performance of IT foundation and infrastructure, we must find a solution, or a set of solutions, to standardize and address security concerns communicating to the cloud, within the cloud, and to data elements which reside therein.

In the next article, I will discuss the requirements for such solutions, and will include the excellent proposals brought forth from the Jericho Group and from the Cloud Security Alliance. I will also issue a "call to action" for these and other organizations to address the issue of cloud security before the technology become either unmanageable or, conversely, be seen as too risk-laden for corporations to use.