I thought it was a well understood security principle; trust but verify. Maybe it is and the PHBs are simply out-voting the security crowd and the voice of reason. At the end of the day when you don't know what is out in the cloud and have limited to no controls to act if you did know, your data is seriously at risk.
Of course, an equally well known security principle states that a valid response to risk is to accept it. I would sincerely hope that the businesses that have my data aren't doing this. Who am I kidding? I know they are. As if I only do business with the 20% crowd...I can only dream of the day.
Just because 'cloud' is one of the latest hot things that everyone feels the need to be a part of doesn't mean it's safe to rush into it without some security common sense. It just reminds me of that ridiculous phrase that everyone's parents used to utter: If all of your friends were jumping off a cliff, would you jump too? X-Games aside, everyone of us likely rolled our eyes and grudgingly exclaimed 'No!' However, that is exactly what is going on with so many 'cloud' implementations today. Also worth making a distinction between how many want to be called 'cloud' and be cool by association but are really a web-based service, but that's a subject for another day.
I know this will ruffle the feathers of the pro-cloud folks, but the fact of the matter is simple. There really isn't much true security going on in the cloud. There certainly isn't a lot of positive proof that there are sound security principles in place and proven effective. In fact, quite the opposite.
I was at a cloud security conference about six months ago and there were certainly a lot of people talking about what needed to be done. Sensible stuff. Not much in the realm of real solutions that are out there today, in place, and proven effective. I've been involved in cloud projects where the security controls that I tried to put in place were completely shot down or ripped out because the stakeholders simply weren't interested. Certainly it can be argued that many cloud implementations suffer from the same security challenges that public universities face; that they are meant to serve a different purpose based upon the sharing of ideas that cannot and should not be stifled by security measures. I can understand that philosophy for some implementations. However, that doesn't mean we need to go all data-rumspringa.
I guess the only thing left for us to do when we encounter cloud services is to distrust until verified. I like that. I'll let you use the phrase, but remember you heard it here first.