The transition to more virtualization-focused software-based security controls, though now filled with uncertainties, is still expected to occur, and though only deployed "in the single digits today," by 2015, Gartner predicts 40% of security controls, such as antivirus, will be virtualized. This will happen, MacDonald added, despite the fact that vendors such as Cisco and Juniper have been dragging their feet because they like to sell "overpriced physical hardware."

At this point, the main idea is to "treat the virtualization platform as the most important IT platform in your , from a security and management perspective," MacDonald said.

For those responsible for the identity management arena in the cloud, however, the situation appears to be particularly challenging.

"Until about two years ago, we were talking about how to do identity management internally," said Gartner analyst Gregg Kreizman. "Now, it's about how do we get our arms around the SaaS [software-as-a-service] problem? Or we used to manage the but now they're in the cloud" ... so it's leading to a never-before-asked question, "How about if we have our identities there?"

This is the cloud relative to the on-premises systems of yore, Kreizman said, and with SaaS providers using different interfaces, there's now a growing "interface risk" of a wider attack surface, plus more people potentially with their hands on the data. Google "is not very upfront about their security practices," Kreizman said. "Salesforce is a little bit better."