Acidus wrote:

Hurd clarified that the difference is between internal and external cloud. “We have 1,000 hacks a day and I can’t tell you why, but they keep showing up. We wouldn’t put anything material in nature outside the firewall,” said Hurd.

I've heard Mark Hurd speak. He is a very smart and charismatic guy. You don't get to be CEO of the 9th large company in the US unless you are a genius. However this idea of data isolation is not clearly articulated and represents a very 90s view of information architecture.

There is an issue with not having enough control of the environment to deploy any security controls at the network layer. It goes way beyond not being able to deploy IDS. Dealing with limited options to monitor or control egress from servers is really a bitch. Without being able to deploy appliance based solutions most of the best-of-breed stuff is unavailable to you. All kinds of things key to thwarting (or even detecting) data exfiltration are not available... I don't know of a cloud hosting provider were I can get netflow for instance. I can't think of a SEIM worth a shit I can deploy in the cloud. Hell, you can't even get logs of authentication success/failure source IP info from many SaaS services to do any kind of usage audit.

Virtually every resource that has proven key to me in detecting data exfiltration is completely unavailable in environments like EC2/slicehost/etc. Some of the SaaS services are better than others, like Salesforce is better than say Google Apps.. But the reality is that using many cloud services, you can be owned and never have any way of knowing because you can't audit shit or do any kind of network forensics/monitoring.

Update: I just want to make it clear.. I'm not writing off cloud services wholesale. It's just that many of them need to mature significantly before the threats presented by motivated, trained, and financed actors can be addressed.