But due diligence doesn't end with a comprehensive SLA. Nirav Mehta, RSA's director of corporate strategy for cloud computing, says you've still got to watch the vendor closely. "You may have a good SLA, but if the vendor's cloud goes down, what happens to business continuity?" Mehta sees a day when the best strategy might be to use multiple clouds for backup assurance.
4. Make security a priority.
To best understand your potential risk, as well as your benefits, you should bring your security team into the conversation at the earliest possible opportunity, says Forrester's Penn.
"That way, security and compliance issues are brought up in the right context," he says. "It's important that business executives understand the security issues and can weigh the levels of risk against the budget they'll provide to mitigate some of those risks."
Moving to the cloud may offer an opportunity to align security with corporate goals in a more permanent way by formalizing the risk-assessment function in a security committee. The committee can help assess risk and make budget proposals to fit your business strategy.
You should also pay attention to the security innovations coming from the numerous security services and vendor partnerships now growing up around the cloud. Dome9, an Amazon partner, solves a cloud-specific technical problem -- closing secure-shell (SSH) and other ports of your cloud-based servers when they're not in use, so an attacker who's already gained access to the cloud can't get in.
"In the enterprise, these tend to stay open by default," says Dave Meizlik, marketing VP for Dome9. "But in the cloud, you'd want them closed when you're not working, and you can't rely on calling the cloud provider every time you get off your server."
Cloud computing may pose some risks, but they'll likely diminish as security innovations catch up. Even today, according to Forrester's Penn, "The security issues with cloud services don't worry most enterprise security teams as much as other IT trends, such as smartphone or social media proliferation. Ultimately, the security issue will be a speed bump, not a show-stopper, for cloud adoption."
Jim Buchanan is a technology writer in Millis, MA. Contact him at firstname.lastname@example.org.