I wrote this blog in July 2009 dealing with security, the cloud and how organizations will need to deal with this mashed up infrastructure. I think it is worth another read in spite of the loss of formatting.
My proposition here was that both organizations and cloud infrastructure and application vendors need to put security and the ability to measure its operation as a top service feature. Customers of cloud vendors cannot be left holding the bag to assert to their auditors that their infrastructure is within compliance with (insert here your required regulation or industry standard).
Four years have past since this blog was posted and I would contend that much of this still applies. I know security assurance has not become any easier to architect, deploy and manage in those four years, but we seem to be falling behind rather than making progress in offering strong, certifiable and continually monitored security for cloud services.
Please comment and show me that I am out of date on this issue because I want to be.