“The reason it is so important for companies to understand their own security requirements before engaging with a cloud provider is that there are so many different areas involved to ensure safety and reliability,” noted Seth Robinson, Senior Director, Technology Analysis for CompTIA.

“Business continuity, data retention, data encryption, credentials, data integrity, regulatory compliance, identity and access management, and geographic locations are among the areas that should be subject to a security review before embarking on or expanding a cloud deployment”, Robinson added.

In CompTIA’s 2015 Study Trends in Information Security, between 40 percent and 60 percent of companies said they always review each of the areas listed above.

This security review also drove internal changes. Nearly half of companies said they changed company policy as a result of changing views on cloud security; while 41 percent of companies built additional security features into cloud-hosted applications.

When it comes to the cloud, it’s not enough to assume that the cloud provider is adequately securing data and applications. Understanding the cloud provider’s environment and policies is essential in securing the cloud services. Cloud users should regularly review and discuss with their cloud provider how they want to handle security, reliability, compliance, and legal issues related to their cloud services. Any gaps in the provider’s security coverage must be addressed before launching the service.

Another benefit of cloud computing is that it lowers the barrier of entry to technology and gives access to areas that have traditionally required the approval—or at a minimum, the cooperation—of the IT department. An end user can start working with a Software-as-a-Service application by visiting a website and providing user credentials and billing information with engaging the services or expertise of IT professionals. Thus, the concept of “rogue IT” or “shadow IT” was born.

This refers to the tendency of lines of business to use their own budgets to procure technology resources. Certainly the concept is no unique to the cloud. But the difference with cloud resources is that they are much more powerful and usable. This represents a high risk for companies. Business staff who use cloud solutions outside the purview of those responsible for the IT environment may not be considering where data is stored, what happens in case of an outrage or how the cloud tool is integrated into other business systems. With security already a major concern for companies, this is another area to be aware of so that data remains confidential and compliance to required standards is maintained.

“You have to look at where your data is actually being stored and who ultimately has access to it,” noted Ron Culler, Chief Technology Officer, Secure Designs, Inc. of Greensboro, N.C. “You can have a nice looking app that delivers great service, but it may sit somewhere that may not be secure. It could be distributed across multiple data centres across the world. And if you put it unencrypted, it sits there unencrypted. You have to have policies in place to deal with those situations.”

Finally, it’s important to remember that the burden does not rest solely on the lines of business. IT departments must examine their perceptions and policies to ensure that they are no overemphasizing their preferences at the expense of business outcomes.

Founded in 1982 and based in Gurgaon, India, CompTIA is a non-profit trade association that is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy.