I often wonder how many misbegotten trends in IT have their origin in the need to say something clever about a subject that you don’t know very much about. Example (circa 2002):
Joe’s Manager: Joe, what do you think about this web services stuff?
Joe: (scrambling) I think it has a lot of potential but, uh . . ., they really need to solve the security problem first.
The truth of the matter is, at the time, Joe knew almost nothing about web services, SOAP, etc. but he had read/overheard just enough to know that “everybody” was concerned with “the security problem” (whatever that was). The result was the development of a boatload of new technologies (WS-Security and its attendant profiles, WS-SecurityPolicy, WS-Trust, WS-SecureConversation, etc.) when the vast majority of SOAP deployments do fine with little more than SSL and BasicAuth. I remember a SOAP-oriented conference in 2005 in which a vendor rep asked the audience “How many of you are using or planning to use WS-Security?”. When only one hand (in a room of at least 100) went up, the rep went slightly non-linear saying something to the effect of, “WTF, you asked us to build all this stuff …?!?”
Fast forward to today and substitute “cloud” for “web services”. I’m willing to admit that there are a few security issues that are unique to the cloud (mostly around multi-tenancy), but I assert that 99% of “cloud security issues” are no different than current IT security issues. I’m worried that, in their need to have something clever to say about the cloud, people are creating the false impression that someone needs to invent a whole boatload of “cloud security” technologies when we simply need to re-apply our current security solutions.