Of course security is a real issue in IT; as a company doing business on the Internet, security is one of those things that, if you get it wrong, your business can be seriously hurt by the consequences. Security threats range in complexity but all have one thing in common: people are the main security threat, always have been, and always will be, through ignorance, accidental misconfiguration, or malicious behavior.
So why, then, is security in the cloud such a big deal? Governance. There is a lack of visibility into the security of cloud based services generally due to the nature of the contracts and the remedies offered as well as the lack of regulation whether it be industry, government, or some combination of the two. In Canada, privacy law requires that the owner of private information (the organization(s) to whom the individual has provided the information) ensure that the information is held in confidence by whatever vendor/service provider makes legal use of that information. This means that the Government has mandated industry to regulate itself by making the organizations liable for any disclosure of that information including that by a third party such as a cloud services provider.
At its core, this is an issue of risk tolerance; how tolerant is an organization to risk. The answer to this question is not complete without considering the tolerance to the magnitude of the impact to the organization (say $ for argument's sake). Basically, The greater the risk and the greater the impact, the more reluctant organizations will be. This is the basis for a basic risk response matrix.
There are those, even some at Cloud Connect 2011, that are claiming that security is a non issue. Unfortunately, most organizations are still worried about it and beg to differ. Countless polls prove this point. That said, this shouldn't be anything new to us. This very same argument/concern/issue has been dealt with before. At least twice: during the rise of e-commerce as we know it and again around the increase in outsourcing. Why is cloud any different? Let's figure out a way to secure our services, federate them, govern them, and then let's move on!
OK, so I oversimplified. The point is, there is too much discussion and not enough action. SaaS vendors have caught on. Their contracts address the issue of security. So, if customers want it, why aren't more vendors providing it, and why are yet others claiming that it's not a big deal?