ISACA put out a paper on 29th Oct, 2009, titled "Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives"

While somewhat short, this paper is a must read for senior IT and business folks, as it shows that cloud computing still fundamentally requires work in terms of new and updated strategies to mitigate risks and manage governance and regualory requirements in order to truly suceed in broad enterprise computing solutions. Not barring the success of vendors such as Salesforce.com who maintain a huge amount of their own customers CRM data with a very minimal real guarantee of security or even service levels, the broad issue of security in the cloud remains the touchstone for many enteprise conversations.

Cloud Computing holds the promise of offering services on demand that are global, rapidly elastic, cost controlled and with minimal management. However, when you actually try to address the security issues (concerns), such as data loss protection, identity management and those compelling facets of cloud computing start to erode, as security does introduce a level of cost and complexity that most cloud providers are nto fully embracing. Once additonal requriements such as forensics with full audit trails appear, this simple slice of cloud will become a real storm (tropical, .violent, galeforce, unmentionable,  or something else, will depend on the stituation).

This is why the efforts of the CSA and others are crticial to get a level of standardized approaches, if not standards themselves, to help organizations adequately deal with this reality. While this is a short paper, it does precede a valuable update and expansion of the original CSA "Security Guidance for Critical Areas of Focus in Cloud Computing".