Phil, great piece. Well written in light of all of the public cloud bashing, and discussion on how you can't be 'secure' in a public cloud. IaaS is a particularly interesting example because of the shared responsibility, which ends at the hypervisor... How do you feel about making the statement that being COMPLIANT in a public IaaS cloud is "good enough" to be considered 'secure', based on your steps? I think you've provided more than just a checkbox outline for compliance, but rather a path to building a low-risk environment in a public shared IaaS - which is a fantastic thing. My one worry is as I pointed out on Twitter, in the very first paragraph you make the distinction between production and dev/test environments ... and state that you're making the assumption that dev/test won't have CHD - unfortunately all too often we find that not to be the case even though policy forbids it. What do you suggest organizations do to go beyond "thou shalt not use CHD in dev/test" and actually try and enforce this? May test systems require *real data* (or stuff that looks like real data) to adequately test - will something like DM (data masking) or TDM (test data management) systems work? Thanks, and great piece!