From the cryptographic side of things, one big topic these days is side channel attacks: attackers try to extract information on private values in a given system by observing side effects such as power consumption, precise timing... A synthetic view of such attacks is that there are two distinct "worlds":
- the "abstract world" in which a system receives inputs as sequences of 0 and 1, and outputs similar sequences;
- the "physical world" in which computation takes place within measurable constraints such as computation time.
Side-channel attacks are about exploiting the differences between these two worlds.
The cloud is an attempt at disbelieving this difference. With the cloud, you get virtual machines under the assumption that they are indistinguishable as physical ones, since they compute the same things. Indeed, a VM will respond with the same sequences of 0 and 1 for the same inputs, so in the abstract world, a VM is a perfect emulation of a physical machine. But if we take notice of physical details, some problems arise. In particular the two following:
For many cryptographic protocols, there is a need for randomness. Randomness is extracted from physical elements. With a VM, the "physical" elements are emulated. A consequence is that a PRNG within a VM may be of suboptimal quality.
Typically, consider what happens if you take a snapshot of a live VM, and (later on) restore that snapshot: it is quite possible that the VM's PRNG will output the exact same sequence of random values that it did the first time, which can lead to severe security issues. An extreme example is the generation of the "k" value in DSA and ECDSA signatures: reusing the same k for two signatures (on distinct messages) reveals the private key (see this answer).
A VM run on some hardware, and that hardware may host several VM simultaneously. These VM share the same resources, in particular caches. This allows for cross-VM cache timing attacks.
This has been recently demonstrated in lab conditions: the researchers managed to pull off a cache timing attack on some AES implementations, allowing a VM to guess an AES encryption key used in another VM which just happened to run on the same hardware.
Side-channel attacks on cryptographic algorithms do not exhaust the vast well of security issues related to cloud computing, but they are still a fertile investigation field, and are enough to warrant a cautionary warning: you really really do not want to see your VM run on the same hardware than the VM from your competitors.