The strategy of cloud computing is to augment computing service needs with a compliment of external vendors to relieve or unload some of the internal IT functions or resources at possible cost savings for the customer.
Before jumping onto a cloud, you might want to get the legal team or hire a lawyer to help parse through the Service Level Agreements (SLA) and other contracts that binds the vendor to a responsibility for the company or individual’s interests, assets and IT functions to better understand where the buck will stop so as not to fall through in a security worst case scenario.
I have been looking for what I consider as the proper wording for the contractual language that basically says, as for the cloud provider, “Yes, we build and maintain the system as well as take up full responsibility for the security of your business interest”.
That could be worded a million different ways in legalese but there is more likely verbiage about up time and setting the expectations of the quality of services provided versus an offer to shoulder the burden of security.
Shoot right to the disclaimers and the fine print that absolves the basic model of the confidentiality, integrity and availability of data and services of the provider.
Consider what I imagine as the largest service by volume to be sourced from the cloud and that is email service and data storage. Both can offer a lot of exposure to customers when used as a platform for sensitive business data or even if offered as Infrastructure for a Service (IaaS).
The threats can come from the lack of designed and implemented security by the provider. This may be intentional or not but the lack of oversight or negligence in this area can potentially cause disputes over the difference of control versus accountability.
There may be different agreements between private and business customers or differences between that which is public and privately agreed upon but make sure the view from the Cloud is not a hazy one before a leap.