I often hear the discussion of security in the cloud limited to considerations of public, private or hybrid cloud options when the focus should really be on the degree of security enforced and managed upon a shared network. I suggest thinking of the cloud as a raw but resilient network infrastructure that has to be hardened to the desired degree that is suitable and required for a specific purpose and application, such as core systems. Critical information requires mission critical security and no less. Anyone who is using less security than required is playing with fire and exposing the enterprise and its customers to unmitigated risks. Anyone who uses more security than required is prudent up to a point beyond which the approach quickly becomes wasteful and burdensome.
When it comes to cloud security, my advice is to always use multiple layers of defense and more than one source of expertise. Always get a second, and if you can afford it a third, opinion on your physical and logical security design. You may have an impenetrable logical and application security architecture and design but allow your employees to walk away with a USB drive full of sensitive business information or private customer data. Or conversely, you may have a Tier-4 datacenter in an undisclosed location but your application security allows easy passwords or unlimited password challenges with hints! In either scenario, you are asking for trouble!
For more information, download the white paper Evaluating Core Systems in the Cloud, which is an excellent resource for those considering using the cloud for applications and services.