As the debate rages on the direction of 'cloud' computing - which is really just 2.0 word for "software-as-a-service' or SaaS - there are in my opinion a few security benefits which make cloud based services a more secure option for some.
1. Common platform. Using a single service platform has the advantage that if a vulnerability exists in the service, it only takes one remedial fix. This is unlike unique implementations of similar products in each customer, where vulnerabilities can go unnoticed, unpatched, and exploited for long periods of time.
This glass can also be half-empty though and a single problem or weakness can affect of the service customers. But if my own experiences with using common platform products (like my macbook) are any indication, I would rather have a problem that all of the product's customers have and that will attract the required attention from the vendor at risk of losing them.
2. Service agreements. Mature formal service agreements which are designed to effectively control the services being provided and outline the expectations of both provider and customer are likely to be designed to be fair and open. This results in communities of customers being able to influence the providers terms. This includes provisions for security, availability, audit-ability, etc.
3. Focus on Information. Many of cloud computing's opposition will argue that if there can be no inherit trust in a 3rd-party system then how can there be any security afforded to the information itself. I see this as quiet the opposite - if trust cannot be clearly defined, then a conscious decision to keep sensitive data off the service can be made. This contrasts the current internal service model, where an organization's staff falsely promote the trust of insecure systems, and this results in data at risk without any knowledge of these risks.
4. Extensions. As FireGPG is evidence of, many innovator's are equipping cloud service users with tools to do so securely - or to build a layer of trust on top of these services. This builds on the previous point in which the cloud can be explicitly defined as untrusted, and used for only what it can provide to the secure or trusted layer like transport and storage in the case of secured email.
5. Buy the availability that you need. Most services including the invaritable google apps platform provide easy to understand availability service levels. GAPPS STATS. While the previous strengths mostly focus on ensuring the confidentiality and integrity of information being manipulated, most cloud services are designed to be purchased depending on the amount of availability required.
The one reality is that the ever-connected nature of cloud services require a supporting level of connection to that particular portion of the Internet, as everyone knows from time-to-time there are interruptions to these connections which no one can control - we are still using the same network that has evolved from simple connections between defense entities and educational institutions.
I would be very interested in what other people's perceptions of the security/insecurity debate of cloud computing. Here are a few examples a quick cloud search provides:
Comments