Who is responsible for security in the cloud?

Let's say you just developed a web app through which customers can order widgets. You're pretty sure your widgets are going to be the hit of the year and you want to make sure that you don't suffer outages and performance issues like many retailers have in the past, especially around Black Friday. So you've decided to take advantage of the fact that a cloud computing provider can and will shoulder the responsibility for scaling your application even in the face of hundreds of thousands of customers knocking on your web site to order your widgets.

The question is who is responsible for worrying about compliance with regulations that may be pertinent to your application and its infrastructure? You? The provider? And if you're running in a cloud like Amazon or Joyent but using a third-party like RightScale to provide additional features, which one of them is responsible for compliance? Both? Neither? Just you?

Really, it's not just a question of compliance, it's a question of responsibility for security. You have control over ... the application. That's it. So you can use secure coding techniques and perform code reviews and make sure that your application is secure, but what about the rest of the infrastructure? If you're employing a cloud so that you don't have  to worry about all the moving parts that go into scaling up an application - or even if you aren't, but just don't want the headache and cost of building out a massive data center to host that start-up - you may have no idea what kind of server OS is actually running the virtual machine upon which your images are distributed. And you probably don't know what the underlying infrastructure might be, or how secure it is.

There are still questions to be answered that have yet to be addressed with cloud computing, such as compliance with regulations like Sarbanes-Oxley (SOX), PCI DSS, HIPAA, and SB 1386. Before any cloud computing model can be fully adopted, compliance with regulations regarding the security and transport of sensitive corporate data such as financial information, personal identification data, and credit information must be carefully considered and addressed, especially as failure to do so is no longer a matter of a simple slap on the wrist but can involve large fines and even jail time for responsible executives.

It's nice to not have to worry about the infrastructure that's delivering your applications "out there in the cloud", but there still needs to be an awareness of what that infrastructure is in order to rest a bit easier at night. Even without the prospect of regulatory fines and punishment looming over your head, there's still the question of basic security that needs to be addressed. You may not be worried about HIPAA or SOX, or even PCI DSS, but core security of all the components of the infrastructure used to deliver your applications is paramount to ensuring the safety of your applications and the data it is manipulating.

Ultimately it's your application being delivered, so you'll have to burden the lion's share of responsibility for ensuring it is secure, even if that simply entails asking some basic questions of your cloud computing provider about its security and what it has put in place to ensure your applications are delivered not only as fast as possible, but as secure as possible.

So maybe the better question is who will shoulder the responsibility for the "big picture"? Or perhaps more appropriately, who are the regulatory commissions going to blame if and when there is a breach?