Today, HP warned that cloud computing early adopters faced security risks.

But the timing and motivation for such a warning are suspect: the risk that HP is warning about is already present for for organizations that don't have an adequate security plan.  Where their infrastructure is - virtual, physical, cloud - is of little consequence if there is no application-dependent security plan in place.  Once the application-dependent plan is created, it must be adapted to the deployment strategy.  For example, at the simplest level, there must be a firewall in place to block unused ports, which will be a physical firewall for a physical deployment, or a virtual one coupled with vlan controls for a virtual or cloud deployment.

This is no different than the requirement that there be a business continuity plan available to ensure uptime.  During the failure at Amazon's East Coast datacenter two weeks ago, customers which had a business continuance plan in place barely noticed the outage, while those who had hoped that Amazon's services included solving their business continuance requirements were disappointed by a multiday outage.

So the risk of the cloud is really more that, with its point-and-click deployment ease, it can lull users into ignoring or avoiding their fundamental business-critical IT responsibilities, especially since avoiding these responsibilities can represent a large fraction of the cost savings they see from cloud deployment.   Because these security and in business continuance plans have to start with the application, the cloud-buying organization cannot expect an infrastructure or platform cloud vendor that they interact with purely through a self-service portal to "fix" their security and uptime exposure: they must either retain the IT expertise in-house to use the cloud properly, or find a managed cloud vendor that offers Virtual IT services as part of their management suite.

So in a sense, HP is belaboring the obvious: large enterprises already have enough IT expertise to use the cloud safely, and small enterprises are well warned not to ignore the risks of skipping business continuity and security planning.   A possible reason for HP's announcement is that HP is late to the cloud game.  While HP's competitors were fielding cloud services, HP was focusing on providing hardware and software to cloud vendors, and it still does not have a credible cloud offering, according to outsourcing experts.  And there's nothing wrong with that: HP makes fine hardware and software.  But this sounds more like a stalling tactic to me: "stay away from the cloud until we have a better solution to your security problems than our competitors!"