"I don't understand the hardware, I don't understand the software, but I can see the flashing lights"
This sums up the basic problem with cloud adoption and over the last week or so its been even clearer while chatting with some clients and journalists around the issues of cloud.
Simply put the current regulatory, compliance and security world is basically based around that statement.
Security folks don't understand what your application does, but they understand networks, networks are physical things, they understand SSO and how to VLAN and physical LANS and they love the physical separation as its obvious how the security is maintained.
Accountancy folks don't understand any of this but they can look at the data centre, count the flashing lights and know all is good. They can also "audit" this physical environment and feel happily secure that the flashing lights are kept safe by a good bunch of process that makes sure that the flashing lights don't talk to the wrong flashing lights.
Lawyers are retarded by the legal lag that in many cases appears to struggle with the idea of the computer and digital information let alone the concept of the internet and cloud computing. Again its about the physical separation as this is what makes it easiest.
Hardware manufacturers play to the flashing light meme as well, I was in a DC recently and made a comment about the compliance challenges and how people seem to like flashing lights and the chap said "Good point, I mean we even put them on the BOARDS for some reason and in a rack you can't even see those lights".
This is the world that cloud computing really comes against. Worries that "one virtual machine could break into another one on the same processor", concerns that virtual separation is just like stabbing a condom with holes, concerns that because you can't physically audit the separation and that some of the cloud providers won't allow you to stomp around their data centres that in fact everything is insecure.
Before FUDmeisters jump up and scream about "being safe" let me ask you this... when was the last time you demanded a third party audit of your electricity supplier to prove that they wouldn't blast you with 300MV at 1MA? When was the last time your asked for a third party audit on your telco provider to prove they were not eavesdropping on your calls? What about the postal service or delivery company that ship your packages?
IT is of course completely and utterly different.... or is it just that because people have been beguiled by the flashing lights and the physicality and don't want to recognise the new challenges that they really should be addressing. Armadillo security (hard on the outside, soft on the inside) has long been a flaw in many company security approaches and virtualisation just makes that approach more obviously flawed. Approaches like Jericho aim to address the problems of business interaction.
The larger challenge however is in the audit and legal areas, being blunt many of the rules laid down today by legislators or auditors are based on a lack of understanding of the mid-90s and have no hope of applying to the new distributed IT environments. Take the need for an independent 3rd part audit of a cloud providers data-centres including how they provision, manage security and ensure availability. The problem is that IT is treated not as a utility, which is what cloud aims for, but as a physical asset that must be proven in the same way as oil reserves or cash.
The shift to treating IT as a utility needs to overcome these legal, accountancy and security objections and those of the intenral IT department. But to be clear these objections are already being worked around and in time will be overcome. The four FUDMeisters of the cloudpocalyse will lose this battle overtime but the quicker that the regulatory and accountancy rules are changed to recognise the shift of IT into a utility the better.
They can't have the flashing lights, and they need to deal with their loss.