"You must be observant and think about data integrity before putting sensitive, mission-critical information in the cloud," said Lars-Göran Eklöf, CIO at construction company Lindab in Sweden.
"We only use cloud services on a limited basis, and the information stored in the cloud, including sales statistics, doesn't have a very high security classification," Eklöf said.
Criteria that CIOs can use to calculate appropriate levels of security include how critical data is, and what the applicable laws and regulations for privacy and data security in their country and for their industry are.
IRB Services, an Ontario, Canada-based company which conducts independent reviews of clinical research involving humans, choose a software-as-a-service product from Intralinks for secure collaboration on review files because Intralinks can house the data outside of the U.S.
IRB Services customers in Europe have for some time not wanted their data stored in the U.S., according to Simon Corman, the company's director of business operations. Before the NSA scandal, "we were just getting that question from compliance groups. Now we're getting it more from an operational level," he said.
IRB customers have always been concerned about the privacy of their data but the NSA controversy has "absolutely amplified the issue," Corman said.
It's also essential for companies to have clear, detailed usage guidelines for employee use of IT systems and handling of data. Companies should use stringent criteria for choosing their cloud computing vendors, examining their track record, security policies, data protection technology and service-level agreements.
In particular, CIOs should watch out for opportunistic and hyperbolic claims from vendors claiming to have technology that can completely shield data from government snooping.
"Vendors have absolutely no ability to make those claims," IDC's Strawn said. "They can't execute on them. The NSA has a lot of power to do what they do. You can't do much about it."
If an agency like the NSA wants to monitor a particular system, it will, and if it can't, it will get a court order to get the access it needs.
Also, just because data, systems and applications are hosted on premises doesn't mean that government snoops can't get to them. In fact, it's likely harder for government spies to break into data centers run by Google, Microsoft, IBM, Salesforce.com and Amazon than to tap into the average enterprise network.
"I'm more comfortable with Microsoft's security for our email than with handling that internally," BCBG MaxAzria's Fuller said. "We're a fashion company, not a tech company. We need to focus our resources on producing great dresses people want to buy."
Still, the NSA scandal worries cloud computing vendors, as they sense concern from current and prospective customers. "It's not having a material impact. But it's certainly causing people to stop and then rethink decisions, and that is, I think, reflected in our results," said Rob Lloyd, Cisco Systems' president of development and sales, during the company's most recent quarterly earnings call.
Sign up for CIO Asia eNewsletters.