Yesterday on a mailing list, Andrew Jaquith had a great response to the question "Most Overhyped Story of 2009"
Most overhyped story: "The cloud is insecure, m'kay?"I could not agree more that Cloud Security, far from destroying information security, will move the conversation along to something more useful than current state reality BEST PRACTICE "inside the firewall" or (wait for it) "outside the firewall."
It is easy -- and appropriate, today -- to discuss the risks associated with putting applications and data on semi-public devices you don't own. Criticizing is easy, but the fixing is more interesting. I predict that in time "the cloud" will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the "information" back into Information Security. This is exactly the discussion we need to have.
So, hopefully this is our underwear bomber moment in a good sense, just like Schneier for years had the joke (about overfocusing on tactics) that we are all lucky that Richard Reid didn't put the bomb down his pants, otherwise we'd have to do strip search instead of taking off our shoes. Well now that's actually happened and the question is what happens next. Hopefully what happens next is not strip searching but rather a focus on values and priorities.
In a similar way, Cloud Security should force the questions about the limitations of what infrastructure security is capable to the surface. Instead of our magical thinking about warm, fuzzy security blanket delivered under the auspices of simply being "inside the firewall", we need look broader and deeper (because its someone else's infrastructure) and see what's really required from a metastructure (hint: decentralized policy and identity) and infostructure (application and data security). This is the conversation we've needed to have for a long time and the Cloud should push it to the top of the pile.
By the way, I would also add the "we" who needs to have this conversation includes many, many people outside of infosec. This is not something that will get resolved by three people sitting in a room at the RSA conference, it requires architecture, developers and other from outside of infosec to resolve.