Well, it's 2016, and a few years ago Gartner reported that "By 2016, poor return on equity will drive more than 60 percent of banks worldwide to process the majority of their transactions in the cloud."Enterprises across all sectors are either in the cloud, transitioning to the cloud, or thinking about making the idea of cloud a reality.\u00a0For those who are preparing to make the move, there are a variety of concerns to consider and plan for in order to make for a smooth transition.\u00a0In addition to deciding on the right cloud provider and whether to go with a private or a public cloud, CISOs also need to think about implementing solutions for controls on access, encryption, legal and compliance issues.Russell Stern, CEO of\u00a0Solarflare, said that many financial institutions are building private clouds because they\u00a0buy so many computers that going to Amazon or Microsoft doesn\u2019t save them any money.Of greater concern than cost, though, is putting client data out into a public cloud. "The security of that has not been solved. A lot of companies talk about hybrid cloud, and they can put the less sensitive data in the public cloud infrastructure," Stern said.Whether they choose public or private clouds, the decision to move to a cloud must be centered around security. "We are being attacked so hard from nation states that the public cloud is not sufficient in security for the kind of protection these institutions need. With the public cloud, they are not exactly sure where it is," Stern said.Many agree that the public cloud environment has too many unknowns, especially for those enterprises that have to worry about compliance issues. For financial institutions, "The biggest concern is having a third party, which doesn\u2019t have to be an outsider, capture your transactions in a place that is separate from the environment running the application so that you can forensically look backwards," Stern said.Another question that should be considered before making the idea of cloud a reality is whether the cloud is a better alternative to the current IT system infrastructure. If the answer is yes, the question to follow should be how organizations can integrate their current systems with the cloud.For most legacy systems, cloud is a worse alternative, Stern said. "For modern applications, moving into cloud is easier. But there are companies that have five to 10,000 legacy applications that were written 20+ years ago."Is your head in the clouds?Five questions companies should ask a cloud service or hosting company.Will all of the applications run in the cloud, and if they will do they need additional licensing to run them?What are the security benefits of moving to the cloud?Where is the data physically stored?Do we need an enterprise-wide encryption strategy?Will we be on our own instances, or will anyone else have access to our data?In either a private or a public cloud, they need applications to behave a certain way. Unfortunately, it's not always possible to move\u00a0legacy. A workaround that will require change over a long period, said Stern, is if they\u00a0put what they can in their private or public cloud until they are able to examine which ones are worth rewriting.\u00a0Before making the move to the cloud, Alex Hamerstone, GRC practice lead at TrustedSec, said, "Settle on a definition of what the cloud is. It\u2019s really just someone else\u2019s computer. A computer that\u2019s not yours. You should know why you are you moving to the cloud. What are the advantages? Is it cost or that it is easier to maintain?"While cost is often cited as a reason for making the move to the cloud, for larger enterprises the cost of protecting all of their users can actually increase.Gunter Ollmann, CSO at Vectra Networks, said, "Instead of buying hardware and appliances with a three-to-five-year depreciation lifecycle, they are buying a service. They are now paying, typically, based around number of servers or users being protected. Their security spend can change drastically in Capex and Opex."For example, if they want to firewall their organization today, they could buy a $15,000 firewall and deploy it. "They don\u2019t care about how many users they have in their environment. When you shift to cloud, firewall spend will be based on the number of users using the cloud. The number of users protected will change the cost considerably," Ollmann said.Contracts are extremely important, and they should understand the service-level agreement and be aware of any financial considerations for whether the provider fails to meet the SLA. "Someone once told me, it doesn\u2019t matter who\u2019s liable it matters whois collectable," Hamerstone said.Where is the data located?Enterprises also should be asking exactly where--physically--their data is going to be located. "That can affect your regulatory requirements. It's definitely a red flag if the providers don\u2019t know. They should have assurance that it's in a certain facility or area," said Hamerstone.More providers are able to give those assurances as data centers are being erected across the globe in different areas to provide cloud services because laws and regulations are complex. "EU countries don\u2019t want their data leaving the EU, so it is easier to set up a data center in the EU," said Hamerstone.An established provider, said Hamerstone, has already addressed the security questions that worried security practitioners a few years ago. "They will be able to tell you what types of security controls they have in place. Ask them if you are being hosted on your own instance so that you're not hosted in the same cloud as three other companies. That way, you can\u2019t access someone else's data and they can\u2019t access yours."In terms of security controls, they should treat the cloud as they do the server down the hall, Hamerstone said, "If you have to encrypt in the server down the hall, it has to be encrypted in the cloud."One glitch to look out for, though, is licensing agreements. "Software companies will often make more money off of fines for having stuff in the wrong place. If you are moving the application, make sure you are moving the license as well," Hamerstone said.Organizations that are making the transition will also need the same classes of security technology that they have employed inside their own infrastructure, whether it's IDS or data leakage, they now require virtual versions of those to be deployed in there."They should ensure they still have the same technology and visibility of their traffic. Some will find they need to look at alternative vendors for their cloud security. Many traditional vendors do have some virtual appliances, but in general many of the newer security companies have focused on cloud and have much more mature security cloud based products," Ollmann said.Many enterprises still have reservations about moving to the cloud because they fear a loss of control in the virtual world. In reality, though, the cloud does exist in some physical space. This notion of no longer worrying about physical security is, according to Ollmann, a blind spot happening in cloud."They are still on a physical infrastructure and the physical infrastructure needs to be secured. It's difficult to monitor the physical security of a cloud provider to detect vulnerabilities that are within the physical infrastructure," said Ollmann.Enterprises should ask about security assurances in the both the virtual and physical places where their data is stored to avoid the risks of these not so well known blind spots.