What I meant by "doesn't exist" is that cloud computing isn't a raw, new technology whose insides shouldn't be messed with by IT people without specific cloud experience. "Cloud" is a blanket term describing the tight bidirectional integration that makes many types of virtualized systems operate like one big, coherent system.
It's not designed to do all your routine server work for you. You don't have to vacuum a virtual server; you do have to put a firewall on it.
Many in IT are still confused about what this "cloud" is and what they have to do about it
The cloud is like a dashboard that lets you monitor and control a whole range of systems from one place, with a lot of load balancing, trust-relationship-maintaining, resource sharing and remote-system-function-calling going on all the time so the Unix systems in Poughkeepsie can offload some of their peak-time processing work on the Tempe data center while both do temp data dumps on the high-speed storage systems in the DR/business-continuity facility in Skokie.
Underneath all the nifty cloud technology – the virtualization, virtualization-management and virtualized-system-integration products from VMware, Red Hat, Microsoft, Citrix, Cisco, EMS, IBM or other developers of products designed for resource-intensive, high-availability data-center applications – are virtual servers exactly like the little ones running Exchange and SharePoint and your firewalls and those test/dev-marketing apps you can't stand to have in the actual data center because the test/dev and marketing people come with them.
You can't just load those VMs onto virtual-server cluster in someone else's cloud and expect them to take care of all the security.
Yes, cloud service providers do security; they spent a lot of time answering your questions about their security, what protocols they follow to respond to DDOS attacks, malware floods and other common threats. They also spent a lot of time dodging your questions about when you'd get to tour their cloud facility to see the high-security provisions for yourself. (They realize it's a trick question, you weasel; no one should be able to get in there except for vetted and bonded employees of the service provider.)
That doesn't mean you don't have to build a firewall to cover your cloud servers, or go into the master images of the virtual machines and build in the same access controls, policy-based access- and use restrictions you build into the VMs in your own data center (or, if you work for Luddite, Inc., into your physical servers).