Efforts of the CSA and other alliances, plus those of industry groups and government agencies, are bound to produce a wealth of standards in the next several years. The CSA has formal alliances with ISO, ITU and NIST, so that its developments can be used by those groups as contributions to standards they're working on. And a 2010 Forrester Research report counted 48 industry groups working on security-related standards in late 2010.
3. Take care with the SLA.
Regardless of your company's size or status, don't assume your cloud vendor's standard terms and conditions will fit your requirements. Start your due diligence by examining the vendor's contract.
That's the advice of Michael Larner, an attorney with Hogan Lovells, an international law firm with experience in cloud compliance and security issues. Larner, who often helps clients negotiate service level agreements, says to start with your own risk-benefit analysis to see if the vendor's standard contract is sufficient for your compliance needs. If not, determine what you need to negotiate to increase your comfort level.
Your company's size can give you leverage to negotiate, but a smaller business can find leverage, too, if it represents a new industry for a cloud vendor that wants to expand its market. In any case, don't be afraid to negotiate.
"With too many companies there's an assumption if you're dealing with a large vendor that the vendor won't negotiate. In fact, you might find that the vendor is willing to make some exceptions to raise your comfort level," Larner says.
If you're new to the cloud, you may find that starting out on a pilot basis, or with non-critical data, is a good way to build confidence, he says.
But due diligence doesn't end with a comprehensive SLA. Nirav Mehta, RSA's director of corporate strategy for cloud computing, says you've still got to watch the vendor closely. "You may have a good SLA, but if the vendor's cloud goes down, what happens to business continuity?" Mehta sees a day when the best strategy might be to use multiple clouds for backup assurance.
4. Make security a priority.
To best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity, says Forrester's Penn.
"That way, security and compliance issues are brought up in the right context," he says. "It's important that business executives understand the security issues and can weigh the levels of risk against the budget they'll provide to mitigate some of those risks."