Cloud computing is a topic of pursuit for me this week at HP Discover. The dilemmas I raised last summer about cloud solutions (Got Cloud?) remain, from my perspective, so I'm keen to hear more about the state of the practice. In my experience, senior management doesn't really know what "cloud" is, although they're not as clueless as the Indian official who apparently took "cloud computing" too literally (Hilarious: Rain could corrupt your data in the Cloud, Indian official says).

Senior managers do, however, understand that cleaning up after a breach is a different ball of wax when the breached systems belong to someone else, and the exposed data belongs to a government agency. (I've spent most of my career working for research think tanks.) Can the agency confiscate systems, or monitor or conduct a cleanup? Who foots the cleanup bill sent by the agency?

Senior managers also understand, very clearly, that sometimes the breach is when an external attacker gets access, and sometimes it's when one of your own people accidentally puts data where it doesn't belong. No matter what sorts of protections the cloud provider can claim, there'll be data that's not allowed to go there, and it's a nightmare if it does. It's less of a nightmare if that happens on your own systems than if it happens on someone else's systems.

I've often said that any security policy has three goals: make it easy for Good Guys to do Good Things; make it hard for Good Guys to do Bad Things; and make it hard for Bad Guys to do anything. If it's very easy to store data "out there” somewhere (Good Guys doing Good Things), it's also very easy to put something out there that doesn't belong there (Good Guys doing Bad Things), and that worries people.

So I scheduled some cloud-related sessions this week.

Today (Tuesday, June 5), we heard HP CEO Meg Whitman list three themes for HP's strategy: cloud computing, security, and information optimization. Those first two strike directly at the concerns I've outlined, so that's promising.

We heard Jeffrey Katzenberg, CEO of DreamWorks, reassure us that he trusts HP to protect his cloud-based information. That's better than saying he doesn't trust HP, of course, but it somewhat misses the concern I described above. No matter how good a cloud provider is at stopping Bad Guys from doing Bad Things, Good Guys could still get careless and do Bad Things that could be a lot harder to handle when the breached environment is outside our direct control.

I attended a session on "Top IT Trends” that included the usual list of reasons for considering cloud solutions, but I still didn't get any new insights on the concerns found in the research organizations I've worked with.

I attended a session called "Engineering Cloud Transformation, Lessons Learned,” but that was about the rollout experience, not the security concerns.

My quest for an a-ha moment continues. I'm hoping I'll hear something this week that suddenly makes me think, "A-ha! That's it! There's a way to pitch a cloud solution that will address the things that keep senior managers (the ones I know) up at night.”

Thoughts?