Fahim Siddiqui, chief product officer of IntraLinks, said it's all about building trust.
"First and foremost, it starts with trust," he said. "There has to be a view that this is a trusted place to go work when you are virtually working within the context of an application. Trust is built through a combination of not just technology, but also application security, not just that but also people and process security. When you combine that, there's a certain posture you have, that this service is a place that I can trust with my information, and my information is protected in terms of visibility, access and auditability."
"The choice of a cloud is not very different than the choice of an ERP application," Siddiqui added. "It's an enterprise architecture choice. What you have to really understand first and foremost is what are your points of extension? Why do you need the cloud? Do you need it for compute resources at the infrastructure level? Do you need it for certain specific resources, like storage? Or do you trust it for certain business-critical transactions which are out in the wild anyway, but today maybe they're being conducted on FedEx and e-mail, or in some cases people carrying physical copies outside your four walls. In each of those instances, you have to construct what are the appropriate weak points and what are the security ins and outs?"
Goodman agreed, adding, "The real point is that when we talk to vendors about security, you know if they're serious about it. You do all the things you're supposed to do, you audit, but at the end of the day you can tell whether a company thinks security is a critically important thing or not."
Sign up for CIO Asia eNewsletters.