I feel the need to write this only because I've had to address it no less than a half-dozen timesrecently, so one more time... "Is an application or service deployed to the public cloud secure, or not?"... the answer is yes, and no.
It appears as though the 'public cloud security" debate has turned into the same discussion we had back in the late 90's, early 2000's about "Is Windows secure?". The answer isn't simple. There are lots of mitigating factors here...
My position is that any application or service that was built to be secured independently of the environment will do just as well (or better) in a public cloud as it did living in your private data center.
That being said, most organizations I've had the pleasure of sitting down with up 'till now are not there when it comes to security architecture and building security into the application or service.
Allow me to give you a much simpler analogy. Asking similarly: "Is your car secure against theft?"
Obviously, there are a significant amount of mitigating factors. Most applications, if they were cars, would have the windows rolled down, doors unlocked and the key 'hidden away' in the arm rest or glove box. This is why we have to build big perimeter defenses around them, with an electric fence, fancy high-security building and armed guards patrolling the property.
The application that is designed like a locked vehicle, with the keys far enough away so that the thief can't just reach in and drive away will display a similar risk profile in a public parking lot that you do not control as if it was in your garage.
Now, putting cars aside you have to ask yourself this question - "Have I architected this application or service to be secure and resilient to the level of risk that is inherent to it?" If the answer is no, then public cloud is not for you.
Actually, your own defenses will probably be expensive and inadequate as well when it comes to protecting that application or service... it's just that you'll have the illusion of control, whereas in the public cloud - you simply don't.
Before you yell that I've over-simplified it, I'm aware there are things missing here... but overall I'll stand by the analogy, and I believe the end-result is sound. If you build the application/service to be low-risk independent of your environmental controls (that is, you secure at the architecture, code, access, and data levels) you shouldn't have to worry where it lives.
Cross-posted from Following the White Rabbit