There is a lot of hype and confusion about cloud computing, what it is, and what it isn’t. Here are some resources I use, and ones I recommend for understanding the fundamentals of cloud computing and cloud security. You will not find any “cloud will change everything” nonsense here (it won’t). Nor “cloud is nothing new” nor “cloud is completely new” nonsense, either. Cloud computing is a mix of old and new ideas and technology. It is mostly evolutionary, but in some cases revolutionary.
Properly deployed for appropriate purposes, cloud computing can be fantastic. I have moved most of my lab systems to a cloud environment and it has provided a huge improvement in my ability to test systems and deliver demonstrations. Astaro uses cloud systems to deliver content and services for partners and customers more effectively that we could with internal resources. But, cloud computing is not for everyone, or for everything. You just need to research, plan, and migrate wisely.
There are a handful of very good cloud computing security documents out there, here are ones I recommend (some are pretty big PDFs):
Start with the NIST definitions doc, it is only seven pages, and only the last two have the actual definition. It is not “security specific,” but is sets a common terminology for the rest. Download it here (PDF).
My new favorite cloud security reference is from the Australian Defence Signals Directorate. Their Cloud Computing Security Considerations is a great resource and a great conversation starter for those considering a move to cloud computing. (It is 19 pages and an easy read, too). If you read only one, read this. And share it. Download it here (PDF).
For more meaty discussions of cloud security, it is hard to beat the documents recommended for those preparing to take the Cloud Security Alliance (https://cloudsecurityalliance.org) CCSK (Certificate of Cloud Computing Knowledge https://ccsk.cloudsecurityalliance.org) exam.
CSA’s own Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (download the PDF here) is not a light read, and is enterprise focused, but has a lot of good information. The other study document is the ENISA Cloud Computing Risk Assessment. It is also not a quick read, but has more small- to mid-sized business focus (reflecting its European origin).
Speaking of CCSK, it is an interesting certification. I’ve recently passed the exam, and heartily recommend the study material. But the certification is probably of limited value to most people until “cloud” is better understood. As you would expect, CSA has an enormous amount of information on their site, covering a myriad of cloud concepts.
A couple more references for those of you who want a broader understanding:
NIST also has a Cloud Computing Reference Architecture (download the PDF here) which needs some help in the area of readability, but is a good resource, especially for the discussion of cloud computing roles.
OpenCrowd’s Cloud Taxonomy (http://cloudtaxonomy.opencrowd.com) is useful for help in categorizing cloud products and services and for understanding the categories.
This is by no means a complete, or even exhaustive list. But it is a good set of resources which should be helpful to those considering a move to cloud computing. Or to those already in the clouds, but afraid of heights.