The group started by sharing the different kinds of cloud models they use in their organizations. Hybrid models seemed to the most commonly used. The group focused on four areas as they relate to cloud data and dealing with cloud vendors. The first thing that everyone agreed is that as purchasers of cloud services, there is a lack of insight into cloud security controls. What many cloud vendors want their potential customers to do is to drop their data into their system, but it’s not always made clear who is liable if something happens to that data. The security for a cloud vendor needs to be in line with how you as an organization align your security. Second, the group discussed identity and access management. When members of the organization are given access to and provisioned sections of cloud storage, how well are organizations following up to make sure that access is altered or taken away if an employee leaves the company? How are they being audited, where has that data been accessed from, what’s the process for closing it down? Next, the group discussed the nature of contracts with cloud vendors. Members of the medical field noted that things like HIPPA compliant controls don’t always mesh well with vendor security contracts. Being compliant to regulations does not mean being secure. Finally, the group looked at the importance of data classification policies. If an organization does not have one, it is an absolute must they develop one as soon as possible. Not all data needs an equal amount of protection and monitoring, so it’s important that critical intel is identified to ensure more defensive measures are in place for keeping it secure over less valuable data.