According to an Ernst & Young Global Information Security Survey, 61% of respondents would be using or evaluating cloud services this year. This will be a mix of public, private and hybrid cloud environments.

However, 52% of organizations said they haven't implemented controls to mitigate data risk in the cloud. An informal poll of companies using cloud services by Sophos found that only a few of them had cloud security policies in place.

As more businesses outsource or shift parts of IT operations to third-party cloud providers, trust marks are emerging for data centers offering cloud services. "Worldwide, we'll see a number of trust marks," said Rob Forsyth, managing director for Asia Pacific at Sophos. "We have a very good one in the UK called the Cloud Industry Forum and a number of these out of the US. There are Verisign-type trust marks given out to data centers." 

Forsyth sits on an Australian senate committee, working on a trust mark for cloud computing aimed at protecting the consumer. "I'm chairing the subcommittee of the trust mark," he said. "We're trying to work out seven basic concepts that cloud providers will need to adhere to earn a trust mark. These include if I lose your data, I'll tell you about it, I won't sell your data to a third party, and if you leave my service, I will delete your data. These are really simple standards by which you understand what you're getting into and you would know that you're getting a minimum set of [service] standard."

In Singapore, the Infocomm Development Authority and the Infocomm Standards Committee have formed a Cloud Computing Standards Coordinating Task Force to develop best practices for virtualization and develop standards and guidelines to address cloud security concerns. Efforts include establishing relevant policies and regulatory frameworks to govern the use and provision of cloud services and certifying cloud service providers.

Even as trust marks for cloud services are being established, companies using such services need to ask their providers critical questions about where their data is stored, who has access to it and whether it's stored on shared servers. "You also need to assess cloud computing's impact on privacy; information security and data integrity; governance, risk management and assurance; and regulatory compliance," said Forsyth.

Another area of focus for cloud customers is to encrypt data wherever it flows, rather than just protecting the device or the network. Sophos, in its Security Threat Report 2012, urges businesses to always encrypt data before storing it in the cloud, select cloud services providers that are transparent about security measures, backup and failover, and include cloud services in their standard security processes, such as access control and other data protection techniques.

It pays for businesses not to neglect security basics like patching and password management. Keeping devices healthy by identifying missing patches in areas commonly targeted by cybercriminals will help significantly, Sophos officials said.

Keeping security capabilities from backsliding as businesses adopt new technologies will be critical as new malicious code and exploits continue to emerge and the volume of malware increases. "But more importantly and often disregarded, cybercriminals will continue to stalk the easiest prey - security basics like patching and password management will remain a significant challenge," said Forsyth.

Yet another important element for businesses would be backups. "Do your own backups and do your own encryption. No one has a greater vested interest in the data than the end user. The cloud provider is only doing a service."

Despite the security risks, small businesses moving to the cloud will typically get better security than it had before.  "For small businesses, managing their own security is expensive and sometimes fraught with danger," said Forsyth. "Generally, the security within a cloud application is better than it would be in a small business."

Cloud computing may be driven by many industry-standard technologies that have been around for a while but it has introduced ways of accessing applications and data that bring newer causes of data vulnerability.

"The way single implementations of data can be used multiple times by multiple people simultaneously from one database and the aggregation of that into big data are new," said Forsyth. "And as we continue to access information in different ways, from different devices in different locations, security tools must be able to 'protect everywhere' - from desktops to mobile and smart devices and the cloud."