Cloud service providers use load balancing to make sure servers are constantly available, which means a company's data could be anywhere in the world at any point in time, and the provider often has no obligation (or knowledge) to tell you where it is. Middleware applications are available for some cloud services that can encrypt data before it hits the cloud provider, and the provider has no access to the key. But it will likely slow the process and add costs, Overly says.
Determine your 'real' host
A third-party provider is often not the data transacting party, Navetta says. A startup SaaS provider, for instance, may actually be hosted on Amazon Web Services, he says. "You may be asking for them to have these obligations and getting all these rights in the contract - but who are you really going to be dealing with if there's a breach?" Navetta says. "You may decide you're not going to go with a provider unless the provider itself is controlling its own data and infrastructure and is able to fulfill the obligations in the contract."
Consider higher-security cloud services
For highly sensitive data, many enterprises are gravitating toward services with higher-security options. AWS GovCloud, for instance, allows US federal, state and local government agencies, along with contractors, educational institutions and other US customers to run sensitive workloads in the cloud by addressing their specific regulatory and compliance requirements.
But higher security cloud services can get pricey, Ray says - 50 percent to 200 percent higher than traditional cloud services, depending on the vendor, size of application and the amount of data.
Source: CSO US
Sign up for CIO Asia eNewsletters.