At this week’s Amazon AWS 2013 summit, the message was received loud and clear that the cloud is heading for the enterprise in a big, big way. The transition is going to be disruptive one for sure, but as Chris Archinaco of Avere Systems told us on theCUBE this week, enterprise customers are rapidly beginning to appreciate that the benefits of doing so will outweigh the obstacles involved.

Even so, its clear that not everyone is willing to throw their eggs into the sky just yet. Security remains one of the biggest concerns for CIOs when thinking about cloud, and with good reason too – as our contributing editor John Casaretto pointed out a while back, AWS faces numerous steep challenges when it comes to protecting assets, with its core architecture and compliance among the biggest concerns. While it’s somewhat unclear how these issues will be overcome, some observers have pointed out that Amazon is being forced to respond to the needs of the enterprise customer. One example, according to Wikibon chief analyst Dave Vellante, is EC2 dedicated instances which, for a premium, will allow customers to avoid multi-tenancy. As well, Amazon has made numerous strides in the area of compliance.

This year’s summit was the perfect opportunity for AWS to address some of these issues, and while it is making clear progress the jury is still out as to whether or not Amazon can win over enterprise skeptics.  Discussing this topic at the summit was Trend Micro’s JD Sherry, who spoke of “a shared responsibility in security when it comes to the cloud”. Whilst acknowledging that AWS had done an excellent job of “baking security into their solutions”, he notes that customers still have to take responsibility when it comes to control of the operating system level. This latter point is a concern for customers as when they move to the cloud it may require many changes in security practices and processes– and we all know IT organizations don’t like to make drastic changes.

These sentiments were echoed by Misha Govshteyn, vice president of cloud security vendor Alert Logic, who told theCUBE that while vendors like Amazon were perfectly good at securing their own infrastructure, the responsibility for securing cloud instances lies with the customers themselves. This will almost certainly cause headaches, with Govshteyn acknowledging that the shift to cloud infrastructure will likely “turn security upside down”.

Why? Simply because, traditional security products will no longer work in a cloud-based infrastructure. “When traditional vendors try to put themselves in the cloud environment, it doesn’t quite work. You’re going to have to be rebuilt from the ground up,” warns Govshteyn.

This will likely create a big opportunity for security providers like Alert Logic, given that most traditional security toolkits just aren’t built for Amazon, leaving its cloud-enabled infrastructure products in a somewhat unique position.

Even so, companies like Alert Logic can do little to ease concerns over compliance, and this issue will cause hesitancy or confusion with many CIOs. Jason Mendenhall, EVP for Cloud at Switch Communications explained at last week’s Wikibon Peer Incite, one of the major issues that enterprises have is the complete loss of control over their data and applications when moving to some clouds. According to Mendenhall, they often have no say in where their data is located, and no clue as to whether or not moving to Amazon’s infrastructure will allow them to continue to meet regulatory requirements. In addition, in many cases, vendors like Amazon and others will co-locate data from multiple clients with a single system, a practice that may violate compliance edicts in certain industry segments.

But Amazon says it has an answer for these criticisms. At the AWS summit, Amazon’s Andy Jassy cited approximately a dozen certifications Amazon has received, including HIPAA, FISMA and ITAR. Further, an Amazon spokesperson told told us that that “customers have complete control of their data at all times…they own the data not us…they choose which location to store the data and it doesn’t move unless the customer decides to move it.” In addition, Amazon tells us that its customers can encrypt their data at rest and in motion.

Despite this progress, there are many questions around compliance that still need to be answered. For example, a major issue for customers is when they move to the cloud it will likely require them to completely re-assess how they approach compliance. While companies like Amazon are working hard on their side of the network, clients still have significant responsibilities and may have to change how approach compliance. But this doesn’t mean heavily-regulated industries should give up on the cloud just yet. Instead, for many industries the solution to regulatory issues could well lie in the type of cloud infrastructure they adopt. Metacloud, which describes itself as a private-cloud-as-a-service provider, seems to be one such solution. As opposed to standard public (perhaps risky) and private (perhaps expensive) clouds, its solution attempts to offer clients the ‘best of both worlds’, deploying OpenStack software over a customer’s existing hardware to deliver a production ready private cloud at a fraction of the cost that other vendors can do.

Metacloud is an interesting proposition, but nevertheless the issues of cloud security are going to remain ‘cloudy’ for some time to come. What this means is that vendors like AWS are unlikely to be able to gobble up the enterprise as fast as they might hope. Still, these may not be such a bad thing according to JD Sherry, who pointed out on theCUBE that a slow transition will only serve to benefit enterprise customers who typically don’t like knee-jerk reactions to trends anyway.

“We can get caught up in how quickly we can move, especially legacy businesses,” says Sherry. Rather than rushing into things, Sherry recommends a more cautious approach in which businesses first move their non-production assets, make sure they’re comfortable and secure, and only then start thinking about switching their most valuable assets.