security in the cloud - different standards?

i was recently at a nice little conference in NYC and one of the speakers was Adam Swidler of Google (Adam’s bio via the conference host’s site). Adam spoke about cloud services and covered the topic very broadly. one of the points he addressed, which was in tune with the topic of the day, was security. a comment he made about standards stuck with me. he said that we can’t hold the cloud to different standards than we would our own infrastructure. to set the standards for what we have today, he referenced well covered stats about loss of data via laptops and USB sticks, soft internal security and other well known risks in IT today. The point was then made that holding the cloud to a better standard than that was not fair.

i’m not sure i can agree. shouldn’t we expect that someone who is claiming that they can manage huge volumes of data in a multi tenant model is going to have better security than the statistically average IT shop? we should and do expect companies like banks and credit card providers to have better security for specifically these reasons. if Google and other cloud providers hope to have the business of banks and other high risk data carrying entities in aggregate, doesn’t that hold them up to a stronger standard? i found myself thinking this was a dodge. but maybe i’m wrong. what do you think?

M&A and divestitures in the light of IAM and security

i was at the Technology Managers Forum security conference today (http://www.techforum.com/sf2009_1/index.html). it was a really good event packed with a lot of engaged people. we held a panel about M&A and divestitures and had a really good conversation. the conclusion is that planning and policy, like with so many other things, is the key to doing any of this well. but everyone also acknowledged that especially in today’s fast paced divestures and M&A driven by market conditions instead of business growth, there isn’t always time for the best plan and having a decisive direction and good tools is the only substitute.

we only had 45 minutes so we didn’t get into a heck of a lot of details. but i was wishing we had triple that by the end because the audience was participating and so many good threads were started and then cut off in the end. i’m sure we’ll get another chance to dive deeper.

feel free to post thoughts here and we can talk it out…