According to Michael Park, a technology partner in the firm's Australian practice; 'Where a company puts any elements of its business into the cloud it must ensure that due diligence has been undertaken on the suppliers' staff given that they may have access to data about the company and its clients.'
But the firm's research found that two thirds of companies weren't conducting that level of detailed due diligence of a supplier's staff, and also found that some suppliers actively discouraged the practice. In fact 35 per cent of customers conduct no due diligence on a supplier's personnel whatsoever.
As the Norton Rose report notes; 'We were surprised at these results. A project manager who has misrepresented his qualifications might fatally damage a project. In light of the prevailing economic climate and the fallout from rogue employees at Satyam and EDS, we think that customers should review their processes to ensure they are properly protected.'
The report made clear the potential risks of failing to properly protect data - especially for financial institutions using outsourcers of cloud providers.
'It is not just data privacy regulators who can impose fines on financial institutions, financial regulators can too. For example, the UK FSA imposed a £2.75 million fine on Zurich Insurance plc when its captive outsourcer in South Africa lost customer data.'
In Australia meanwhile APRA has made clear to financial institutions that it expects them to conduct the same level of due diligence on cloud suppliers as they are required to perform before outsourcing or offshoring IT work.
This may go some way to explaining why Norton Rose's report found that despite all the brouhaha about cloud, only 25 per cent of financial sector organisations currently use cloud computing.
Peter Redshaw, the managing vice president of research banking and investment services at Gartner confirmed this general reticence to the cloud from financial organisations. He however said that it was data sovereignty that was the big barrier for banks, with many of them being bound by regulation or legislation to keep at least some of their data onshore rather than in a cloud hosted on international data centres.
Banks were also keen to be convinced of clouds' security, resilience and approach to encryption he said.
Mr Redshaw said that he was surprised by the lack of banking specific cloud services that were yet being crafted by the industry. However he forecast that in the future a new class of supplier - a cloud services brokerage - might emerge to bundle up specific cloud based banking services for the financial sector.
These he said might operate in much the same way as an ISP offers internet access. He said telcos and systems integrators were the most likely candidates to become cloud service brokers.
Mr Redshaw said that when Gartner asked financial sector CIOs about their cloud intentions at the end of 2010 only 7 per cent had any sort of infrastructure in the cloud, and 5 per cent were using Software as a service. Mr Redshaw however expected that to shift significantly over the coming four years.
By the end of 2015 Gartner's forecast has 43 per cent of financial institutions expecting to use infrastructure as a service, and 38 per cent planning to use some SaaS.