I do think this is something that’s holding people back.
I’m a proponent of cloud services – have a lot of clients in that space. I’m just concerned because I see so many people blindly trusting cloud service providers. They say “Is your system secure?” The answer is “Yes!”, of course, and then nothing else is done. No validation, no follow-up testing, nothing but blindly trusting contracts, SSAE 16 reports, and people’s word.
This is not a good way of doing business.
If you and your business are going to be held accountable for the regulations, how can you possibly say you’re “compliant” when your cloud service providers don’t even fully understand how they’re systems and applications are vulnerable?
Trust but verify; here are some cloud security and compliance resources for further reading that may be helpful.