Roughly half of the group members for this discussion said they relied heavily on cloud-based infrastructures for their businesses. Others said they had dabbled more into using cloud services in recent years while a few held strong to the use of more traditional storage means. The question of how to protect data once it is out in the cloud and what sorts of controls are needed in order accomplish this also arose. Approaching legal departments from a contract perspective when leveraging a third party cloud provider still proves to be a tricky process for many security professionals. How do you ensure the language in the contract meets all of you organization’s needs? How do you make sure there is some degree responsibility on both sides if data should ever happen to be exposed? These questions soon brought on further conundrums like “What happens when you’ve partnered with someone and an incident occurs that results in data being exposed?” In that scenario, do you cut ties with that provider or do you continue working with them but help improve their stance on data protection and information sharing? Matters continue to get trickier when things like the EU Privacy Act and other countries’ requirements for how to handle and exchange data as it crosses international borders also come into play.