Consider IP creation. It's less likely that new IP will be created in the course of a cloud computing deal than an outsourcing contract, but it happens. "Some customers hire a cloud provider to run a private cloud, where there might be the opportunity for the development of intellectual property," says Fisher of K&L Gates. "Another exception is if the customer needs the cloud provider to develop certain interfaces to access the cloud services." In such cases, the cloud buyer may want to retain ownership of the interfaces or prevent the cloud provider from reusing them for competitors. Geography becomes an issue as well. "If IP is going to be created in a cloud environment, the laws of the location where the IP sits should be checked to ensure that unexpected rights or hindrances don't arise," says Baker & McKenzie's Church.
Secure it yourself. Consider adding a layer of additional data security. "Unless their provider is willing to step up to stringent contract terms and service level agreements regarding data privacy, many enterprises will want to consider end-to-end encryption for any data that will reside in the cloud," says Slaby of HfS Research, "especially if it is subject to regulatory compliance concerns."
Prevent a lockout. Some standard cloud contract provisions make access to their data at the vendor's discretion if the deal is cancelled early. "Customers must always ensure that they can access their IP at any time and that, if the agreement terminates for some reason, they can get the IP out," says Hansen of Baker & McKenzie.
Revisit controls on a regular basis. "Buyers must keep their eyes open for potential new threats," says Slaby of HfS Research. "[For example], at some point virtualization attacks -- in which malware breaks out of one virtual machine to corrupt or steal data in an adjacent virtual machine -- will go from theoretical to real."
Be prepared to walk. If adequately protecting IP is too costly or hard to implement or track, back away. Always leave open the possibility that a cloud-based service might not be a good fit.
Stephanie Overby is regular contributor to CIO.com's IT Outsourcing section.
Read more about governance in CIO's Governance Drilldown.