Part of the vendor evaluation should be exploring its infrastructure, which could be dedicated or shared among other customers, Silva says. If it's shared, what's the risk of other customers taking actions that could put your information or privacy in jeopardy? Companies using cloud services should evaluate the provider's risk profile on an ongoing basis, he says, not just at the outset.

Building strong security can also include into contracts with cloud-service providers and following up to make sure these requirements are being met. To thoroughly evaluate its external cloud vendor's security posture, Rawlings pored over documents to make sure the provider had the proper controls in place and was monitoring them.

Also see

Schumacher is relying on cloud-based security tools from Symplified to protect its data in the cloud, including its identity management and single-sign-on (SSO) applications. Symplified provides a centralized service that handles identity and access management, enforces security policies on all the cloud applications Schumacher uses, and audits usage for compliance reporting.

"The SSO approach leads to higher application adoption and fewer passwords being stored on sticky notes," Menefee says. "It would be impossible for our employees to remember unique credentials for all of the systems that we have licensed."