There’s a lot that a business can gain from swapping on-premise IT for a cloud solution. Moving data and applications out of an in-house server room and into the cloud can result in reduced costs, improved flexibility and scalability, and simpler remote access, to name just a few of the benefits.

However, one thing that frequently stands in the way of enterprise cloud adoption is confusion over security and compliance. Organisations often form muddled preconceptions about the respective strengths and weaknesses of public and private cloud services, and this stalls their efforts to drive the change their business needs.

In reality, the decision shouldn’t be so complex. Many modern cloud solutions are reasonably well-equipped when it comes to protecting users’ data, to the extent that some of them comply with demanding industry regulations such as PCI DSS. Organisations just need to understand what they’re looking for, know why this is important, and work out whether their data and applications can be stored across more than one location.

Here are some of the factors you should consider to determine whether a particular cloud solution meets your organisation’s IT security needs.

Where is the data stored?

A common concern among enterprises looking to use cloud solutions is the territory or jurisdiction in which their data will be stored and processed. This is called data residency or sovereignty, and mainly applies to organisations with legal obligations to keep their records in certain countries – governments, for example, and entities that store personal information on EU residents.

With a hosted or on-premise private cloud, enterprises have control over where their records are stored. With a public cloud, it might be more difficult to get visibility into data residency, although some services – such as Microsoft Azure – do give organisations the opportunity to restrict their footprint to a particular geography.

What technical controls are in place?

Regardless of the data you’re storing in the cloud, you’ll want peace of mind that the provider uses industry-standard – and up-to-date – technical controls to protect it. Moreover, if you’re required to comply with rules like PCI DSS or the Data Protection Act, some of these will be mandatory. Examples include encryption for data at rest and in transit, intrusion detection and prevention systems, monitoring and logging, and anti-distributed denial of service technologies.

Access controls are also a must, and if you’re implementing a hybrid environment, you’ll want to know that your authentication and authorisation rules can be synchronised across cloud solutions and on-premise IT.

Can you go hybrid?

A lot of the time, effective information security management in the cloud is about allocating different workloads to different services. After considering the above factors, for example, you might deem it most judicious to store your core customer database in a hosted or on-premise private cloud. Your email inboxes, however, might not require the same precautions, giving you the opportunity to locate them in a more cost-effective public cloud.

The important thing to think about when considering this model is whether it’ll complicate your existing security framework and cause you to lose a complete view of your IT environment. As such, you should scrutinise potential cloud solutions for their ability to integrate with your existing systems and technical controls, and ensure that your data always travels between them in a secure way.