During the recession, many companies put their technology expenditure on hold. Now that we have got past the worst of the recession, the private sector is evaluating how best to invest in technology. The traditional model has been to incur large capital expenditure upfront on servers and high end PCs and to depreciate it over a three year period. On top of that, you would need to buy and install software which you would need to update every couple of years.

But now there is "cloud computing". This is an umbrella term to define many things but in essence it involves computing delivered as a service on demand to a customer via the internet, or the "cloud". By outsourcing computing in this manner to cloud suppliers, a business is able to benefit from a flexible, scalable solution with potential for cost savings. Depending upon what you buy, the cloud provider will look after the hardware and software and you will pay for it as you need it.

When asked whether an organisation intended to adopt cloud computing for the first time in 2012, 35% of large organisations said they do (Source: Cloud Industry Forum "Cloud Adoption and Trends for 2012"). However, cloud has its own risks. Get it wrong and your business could be looking at some very serious financial – and regulatory – consequences. Perhaps not surprisingly, those same large organisations cited data security and data privacy as their main concerns about the adoption of cloud in their business.

There are three main areas to concentrate on: reliability, security and liability.

Reliability

All organisations need reliable technology as so much business is done electronically, via email, websites, electronic data flows etc. Therefore it is important to establish whether the cloud provider's service is reliable. Do their servers break down? What mirroring options do they have in place? What monitoring systems do they have in place? Customers should be prepared to carry out due diligence on the cloud companies and assess their performance. You should look at the company's past performance – does it have a good reputation?

Don't forget, simply sticking with an in-house IT infrastructure does not necessarily mean that your servers or network are more reliable. Cloud providers point out that their core business is to manage data centres and to keep data secure and that they're more effective at it than someone whose core business is something else.

However, while it's true that cloud providers will tend to have more robust and better managed infrastructures, the customer needs more reassurance than that. It's vital that all the fine details are built into the service. And the type of cloud provider is important here - one factor to bear in mind is larger providers offering the cheaper, standardised public cloud solutions are unlikely to make enough margin to entertain contract negotiations over reliability and liability. In that case, you should look for a bespoke, private cloud offering and maybe from a smaller reseller who could offer a more tailored experience.

Security

Financial institutions will have the FSA and FSMA to consider and all companies will have to consider the data protection legislation, particularly as this changes over the next few years. Offending organisations can be hit by big fines.

A financial institution is unlikely to be able to pass this liability onto the cloud provider – so it will be very concerned about the consequences of handing over information to a third party. It is very important for a company to ensure that its cloud provider is taking proper steps to protect data. Is it keeping it inside the UK or EU where there is adequate protection for data, rather than sending it over to the USA where a lot of cloud providers are based. If you have a call-centre in India, does this mean it is acceptable for your data to be stored there too?

Although a company as the customer is ultimately liable, there are steps that can be taken. You should specify in your contract where the data is held and who it can be released to. You should try to include an indemnity clause meaning that the cloud provider takes all possible precautions to avoid breaches and takes legal responsibility for any losses.

Liability

The third factor to look at is liability – what happens when things go wrong? Cloud providers will, of course, seek to exclude or restrict their liability. Again, you are more likely to be able to negotiate risk, liability and compensation in a higher value, more bespoke solution. Of course, if you lose your data, the liability provision may not be much use to you, particularly if your provider becomes insolvent, so it is advisable to do some research.

A cloud provider might offer some sort of protection in return for a higher fee. This approach could mean that the cloud company will offer a gold or platinum type service which is more robust with a higher-rated data centre with better monitoring facilities. Also, it is worth bearing in mind that not all cloud providers have their own data centres. If you sign up to a gold service with your provider but they buy a bronze-type service from the data centre, you may find you're not covered. Also, you need to consider what might happen if your reseller becomes insolvent or if they do not pay the data centre. One way of getting round this is by signing a pass-through contract where the reseller supplies service from a named supplier such as Amazon or Microsoft.

What Next?

There is no doubt that the market will improve and consolidate over the next few years. Customers need to evaluate their options and choose wisely. Here are our five top tips:

  1. Research the market and perform due diligence on your cloud service provider.
  2. Cloud can be more secure than traditional IT but you must factor in security right from the start. Do not leave it to last minute and do not leave the provider with sole responsibility.
  3. Accreditations and certifications take time, money and effort to obtain. You should ask if your cloud service provider has any. For example, have they certified under the Cloud Industry Forum's code of practice?
  4. Do not abandon key IT disciplines and engage with your provider on reliability, security and liability issues.
  5. Ask questions of your cloud service provider and make sure you get the answers.

Ultimately, cloud adoption is about appointing a partner not simply a supplier. If a cloud service provider is not engaged with you as the customer, then maybe you should shop around for one that is.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.