Executives from IBM and Amazon sparred over the degree of security issues pertinent to cloud computing during a conference panel session at the ZendCon 2011 event in Santa Clara, Calif. Transitioning from a dedicated facilities to a shared environment in the cloud means developers must build proper security in their applications, said Mac Devine, IBM Distinguished Engineer. Developers cannot assume the public cloud provider will secure everything, he warned: "You can't depend on the fact that, 'OK, nobody can get behind my firewall.'"

"You need to be thinking differently. It's a shared environment," he said. Risk comes with the collaboration enabled by the cloud, Devine added.

But Jeff Barr, senior Web services evangelist at cloud provider Amazon Web Services, shot back, "I do agree that you need to worry about security, but you also have to realize that you do get effectively infrastructure that has a lot of [a security focus] already built into it." Instead, developers need to worry about application-level security, Barr said.

Security and availability are probably the top two priorities at Amazon, Barr asserted. Amazon has security certifications such as ISO 27001 and SAS 70, he said, adding that large-scale cloud providers can make expensive, long-term investments in security that others cannot. Devine noted a cloud infrastructure provider can offer regulatory compliance and operational security. In some cases, clouds have more security than on-premises systems, he said.