What's interesting is that there is a whole ecosystem of companies like CipherCloud that do the minimum required to provide solutions for those interested in "compliance," not "security."
My sense has been that their customers are predominately those bound by things like HIPPA or PCI, who want to use cloud services, but can't do it with a straight face unless they can say they're "encrypting" their data.
What their customers want isn't security; it's the minimum required that will allow them to use salesforce.com. Incriminating details on StackExchange aren't a problem because their customers don't already know CipherCloud is insecure, they're a problem because it would make it harder for customers to say they're in compliance with a straight face.
It can be both. There are going to be companies that are serious about actually protecting their customers (but don't have the technical know-how to be an informed customer), and there are companies that see these laws/rules (PCI, HIPPA) as hindrances to cast aside with the least possible effort.
On some level, the fact that compliance regulations exist is an indication that security is not a priority for many of the entities that it applies to.
Certainly snake-oil is a problem, but I think this particular area is one where buyers are most concerned about being able to effectively claim that they made what seemed like reasonable efforts.
My sense has been that their customers are predominately those bound by things like HIPPA or PCI, who want to use cloud services, but can't do it with a straight face unless they can say they're "encrypting" their data.
What their customers want isn't security; it's the minimum required that will allow them to use salesforce.com. Incriminating details on StackExchange aren't a problem because their customers don't already know CipherCloud is insecure, they're a problem because it would make it harder for customers to say they're in compliance with a straight face.