The technological and commercial benefits associated with adoption of the cloud computing model can be substantial.
And, as real-world adoption of cloud services ramps up, it is becoming increasingly understood that accessing infrastructure and services from a cloud environment can allow organisations to save money, while simultaneously freeing resources to focus on core business activities.
However, there is little doubt that security concerns have been – and remain – major barriers to the more widespread and rapid adoption of the cloud.
And it is only natural and proper that business decision makers should be asking some hard questions about these potential security issues and the implications to their own risk and operational decisions.
Concerns have revolved around confidentiality, data protection, regulation on the handling of data and internal data security compliance restrictions.
However, it is being increasingly recognised that – radical though the shift to cloud computing is – existing security models and procedures remain applicable.
And organisations are waking up to the fact that security can, in fact, be improved by the high levels of physical and data security offered by professional cloud service providers.
In this context it is relevant to consider the outsourcing model, which is now well developed. When it comes to transfer of specific applications, services or projects to third-party partners, the process of determining whether to transfer risk has become a standard business practice.
In terms of due diligence for such transfers, the market is relatively mature: standard contractual terms and conditions exist, and mechanisms to verify security claims of an outsourcing provider are increasingly part of routine business practices.
And as cloud computing itself becomes a routine business practice, these existing due diligence procedures are expanding to encompasses the cloud paradigm.
Organisations are now extending the rigour of scrutiny they apply to outsourcing to cloud computing by conducting risk assessments to cloud providers and ensuring that their cloud provider takes the best principles of secure data centre management.
The choice of a cloud provider is obviously critical, so it is reassuring for private companies and public sector organisations that security accreditations for data centres apply to cloud providers too: ISO is applicable in the UK, in addition to List X for public sector organisations.
And it is significant that, for the vast majority of companies and organisations, the level of physical and data security that can be achieved by an established and trusted cloud partner will inevitably exceed any measures that they would be able to achieve in-house.
Conor Callanan, CEO of Microsoft Cloud Accelerate Partner Core, explained: "You have to look at the whole picture. It is not just data or physical security, but the whole gamut of security.
"When it comes to creating a secure infrastructure, a cloud partner such as Microsoft has the size, expertise and resources that no midsize or small/medium-sized company would ever be able to come close to, let alone match."
As companies increasingly trust cloud providers to deliver mission-critical services and host potentially sensitive data, it is essential that safeguards are put in place to ensure that platform services and hosted applications remain secure and available.
Business decision makers must address the potential security challenges associated with the move to dynamic hosting environments that the adoption of cloud services is driving.
This latest wave of change has already begun with the rapid move to virtualisation and a growing adoption of Software-plus-Services strategy, which combines the power and capabilities of computers, mobile devices, online services, and enterprise software.
And it is important to remember that cloud platforms enable custom applications to be developed by third-party software engineering companies and hosted in the cloud. These applications must be architected appropriately to operate securely in the cloud by factoring in issues such as data residency.