I doubt that security is such an important topic that figuring it out-or deciding, after thorough examination, that it cannot be solved- accounts for the manifest reluctance of IT organizations to embrace public cloud computing.
How-To: 12 Tips to Prevent a Healthcare Data Breach
For many organizations and users, public cloud computing actually represents a huge step upward in security. I recently talked to the CEO of a small healthcare SaaS provider called Healthonomy, which leverages Amazon Web Services to achieve HIPAA compliance. Using AWS made this possible, because it's unlikely that this tiny company, should it use its own data center or a colocation facility, could afford to implement the infrastructure requirements necessary to achieve HIPAA compliance, the CEO says. Moreover, he adds, Amazon's security was enormously better than the "PC under someone's desk" situation typical of Healthonomy's small-practice physician customers.
Real Cloud Battle Isn't Security, It's Developer Productivity
The Groundhog Day nature of the discussion indicates to me that the security concern is comprised of two elements.
First, there's a reluctance to rely on an outside provider because of a suspicion that, should an external cloud provider suffer some kind of security problem, IT would be blamed, even if it was the provider's responsibility. Unless and until a sign from on high (a document or policy from someone, somewhere) declares that IT is completely off the hook with regard to the provider's security, IT employees will continue to voice security concerns.
I wrote about these cloud adoption concerns three months ago, and all I'll add at this point is that the sign is never going to appear. Relying on an outside provider inevitably exposes one to risk; the key question is whether the benefits outweigh the risk.
Analysis: Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid
Second, there's an instinctive preference for a private cloud solution and a corresponding holding pattern until the private cloud can be implemented. If enough reservations (or FUD, to put it bluntly) can be raised about cloud computing, then enough time can be bought to allow a private cloud to be stood up.
I can understand something as instinctual as the belief that only something implemented by and under the control of IT can be trusted.