Security practitioners inevitably cloud their thinking whenever they become trapped in purist arguments over what constitutes cloud computing.
It has long been recognized that discussions about cloud security quickly degenerate into arguments over what constitutes a cloud (I’m told the same thing happens to other IT specialties). Cloud purity is always a good excuse for a vigorous argument (and even some self-satisfying intellectual bullying). It would undoubtedly be useful if the world could agree on precisely which situations are cloudy and which are not. However, if a more precise understanding of cloudishness eventually emerges, it will almost certainly not be heavily influenced by the security niche (my bet is on the advertising industry).
My point is not that cloud computing is not a useful concept (and who could possibly question that?). My point is that the people responsible for assessing confidentiality, integrity, and availability risks should be focusing their attention on what is relevant to risk.
Security questions function at an abstraction level that can be almost blissfully aloof from purist arguments over blanket terminology. Understanding the security profile requires detailed answers to questions like: Who is doing what (or wants to do what)? Where? How? Using what technology? “Who controls it?” “Who can access it?” And the most important question “How do you know that?”
“In the cloud” can never be a useful answer to any substantive security question.