@GeorgeReese did something pretty cool today. He dared to ask how much a traditional security approaches were really worth vs. a cloud based approach. Yes, the discussion was short on heavy details–but it put a very pointed dollar sign bullseye on the most cited hesitation about cloud adoption over the last two years.

His simple point reminded me of a Ron Paul talk that asked how much foreign policy and military should be costing the US. I’m not very political or deep on the topic-but I know market positioning, and not too many politicians were asking the question in such a pointed way–it stuck and created a mini-movement.

If the only answer the establishment can give is “well that’s how much we have always spent” the question succeeds in its purpose–to show the prior spending to be ritual and habitual.

@beaker was up to the task of peeling back the onion on the argument, reminding us that while the cost of running an IaaS might be lower, the cost of VM/Application security might be similar. He also asked what if the cloud approach and vulnerability resulted in a near complete loss of data.

That question left me wondering if the improved economics of the cloud won’t open the door to very interesting advances in security survivability. Its one thing to ensure against any potential breach–but if we can elegantly run our applications across 10’s of data-centers for similar costs as we run it in two home grown ones today–shouldn’t it be easier fail over redundantly against attacks just as we do against hardware failures? Obviously this is a complex issue, and there are almost always single points of failure in any system that a truly dedicated and genius attacker could assail..but isn’t this how Twitter account security really works today? Everyday I hear of somebodies account on Facebook or Twitter getting hacked…but the services overall and the average user experience remains feasible.

Redundant arrays of less expensive clouds… an interesting topic.

Finally, and most tactically important–this is an opportunity for cloud providers to showcase their security procedures and protections. The time is ‘now’ to help create powerful cloud audit and security procedures, technology and products. The more clear a cloud’s security story is the more chance it has to drive disruptive levels of adoption. There is clearly room in George’s model for the IaaS to be more expensive and still be compelling. Smart cloud providers will invest in security related features, differentiate themselves from a race to the bottom, and capture the most lucrative part of world-wide infrastructure spending.