The rights to any data given to the cloud vendor must be limited. Some minimum level of access is likely necessary so the vendor can operate the cloud service, but beyond that, risks increase. Services that allow the vendor access to a consumer's data for the vendor's own purposes -- such as targeted advertisements are notmay not be appropriate for applications involving sensitive data.

The same technological controls used on internal networks should also be used in the cloud, including encryption and access control. But remember, security is more complicated in the cloud than it is with internal networks, which generally only have to defend against outsiders to the network. A cloud service must secure data from outsiders of the service as well as other users of the service and the service provider itself.

4. Will the contemplated ?

A threshold question before placing data onto a cloud service is whether the service complies with any processing, retention or transfer restrictions, such as those imposed by the European Data Protection Directive, which may be applicable to the to-be-transferred data. (See related .)

What's more, the operation of the cloud service could unintentionally entangle data not already subject to processing restrictions if the data flows through countries adopting such rules. The vendor should be prepared to identify where data on its service will reside, and contractual restrictions can be contemplated that would prevent the service from moving data in any undesirable manner.