More and more, cloud is everywhere in IT \u2014\u00a0and increasingly, throughout the business. Today, 72 percent of organizations have at least one application in the cloud or a portion of their computing infrastructure in the cloud, according to IDG\u2019s Cloud Computing Survey 2015, while 56 percent of organizations are still identifying IT operations that can move to the cloud.\nHowever, with the cloud comes concerns: Two-thirds (67 percent) of survey respondents said security is a significant concern for moving to the cloud, while compliance, as data moves out-of-house, may be the cloud\u2019s biggest security challenge. Will data uploaded to the cloud remain compliant with legal and regulatory obligations such as PCI, FISMA and HIPAA? Who owns what parts of security and compliance, and what provisions to satisfy those obligations will get put into the contract with the cloud provider?\u00a0\nIn fact, these compliance issues can become a barrier that stops a CIO\u2019s strategic cloud initiatives in its tracks, says Michael VanDenBerg, managing director, cyber services at KPMG. \u201cMoving from on-premise IT and data centers to cloud services does mean giving up the posture of controlling all operational disciplines,\u201d he points out. \u201cIt requires a mindset change that, for some, can be a blocker.\u201d\nCloud compliance challenges tend to fall into three main categories:\nEncryption and data protection. Organizations are concerned about the type of data that will be used in the cloud solution and how it will be encrypted and protected. For example, a company might have an established policy that says a certain type of data needs to be encrypted in transit. \u201cYou need to dig into what the real risks are,\u201d says VanDenBerg. \u201cCan they be satisfied through other means or do I need to wait for them (the cloud service provider) to offer encryption for this part?\u201d\nData retention and recovery. Another issue, particularly regarding SaaS solutions, is identifying the method to get your data back if you want to switch to another cloud service. \u201cWe are seeing more and more of this with our clients,\u201d says VanDenBerg. \u201cThere is a responsibility on both sides to address data retention and recovery.\u201d\u00a0\nIdentity and access management. Monitoring identity and access management is also a real concern for IT organizations, says KPMG director Kerri Murphy \u2014 that is, who is accessing the data and whether that access (such as timing) is appropriate. \u201cThis is a struggle for most of our clients, with so many products and security tools that tie into each cloud offering,\u201d she says.\nComfort with cloud is growing\nStill, technology organizations, particularly security organizations, are becoming more and more comfortable that the cloud is just the way business is now done. \u201cIt has taken time for organizational change and training, for the knowledge to permeate through,\u201d says VanDenBerg, who adds that companies are also more comfortable because they realize they are putting their data and technology in the hands of a company \u201cwith a security staff 10-100 times size of theirs.\u201d In addition, the rise of cloud access security brokers, or CASB technologies, now allow organizations to set up controls and monitor across multiple cloud service providers. \u201cIt provides a level of visibility that didn\u2019t exist two years ago,\u201d he explains.\nFinally, cloud service providers recognize that this is one of the top barriers that can prevent them from getting a deal done with clients, so they now offer flexible options that allow organizations to meet their high-priority compliance obligations. \u201cCloud service providers are offering almost all of the assurances customers want,\u201d says Murphy. \u201cThey have put into their roadmap even more regulations and compliance frameworks that they will attest to in the future, whether you are in the federal government, oil\/gas or banking \u2014 making efforts to comply with standards across the board.\u201d\u00a0\nHow to select the right cloud service partner:\n1.\u00a0\u00a0\u00a0\u00a0 Invest in their reputation. Select a partner who will consider compliance and security part of their core business five, 10 or 15 years from now, says VanDenBerg. \u201cYou are Investing in the ability of the provider to come up with right solution to stay on top of industry trends,\u201d he explains. \u201cAnd at the end of the day, you need to do business with someone you can trust to have your best interests in mind over the long haul.\u201d\n2.\u00a0\u00a0\u00a0\u00a0 Look for operational and technical transparency. The cloud service provider should make it clear how they approach compliance and security at every level, as well as their ability to provide monitoring or add-on services if you are paying for them. \u201cWe all know nobody\u2019s perfect in this space, but you can expect transparency in how they deal with risk and resolve risk,\u201d says VanDenBerg. \u201cIt\u2019s about how the provider deals with fundamental issues such as monitoring and technical architecture, as well as how they communicate back and forth with you on an ongoing basis.\u201d\u00a0\nTake a holistic view of risk in the cloud\nAs companies increasingly deal with cloud compliance, IT organizations need to take a holistic view of risk and monitoring that risk in the cloud \u2014 expanding on traditional vendor management programs and accounting for the risks of moving into the cloud. \u201cWe work with clients to develop a framework approach to this,\u201d says VanDenBerg. \u201cWe set up monitoring controls and operational layers to make sure they understand what they\u2019re responsible for regarding their data in the cloud and what the cloud service provider is responsible for. And, if the CSP is responsible, making sure it\u2019s in the contract somewhere.\u201d\u00a0\nThe right contracts are key when it comes to cloud compliance, adds Murphy. \u201cWe see a lot of clients getting burned when they review their contracts and realize that it does not cover some issues such as transparency and data retention,\u201d she says.\nBut, the bottom line is that cloud compliance is a mindset change that both IT and the entire business need to understand, she emphasizes: \u201cCloud compliance can become a hot potato passed back and forth, so if you\u2019re a CIO, the whole organization needs clarity.\u201d\nFor more insights from KPMG on Cloud adoption, compliance, and security please see our recent thought leadership:\nFive key cloud computing risks\nAs more enterprises conclude their cloud computing testing and assessment periods, they are looking to invest and shift towards implementation. This paper examines the rapid adoption and expansion of service offerings in the public and private cloud space as well as the risk cloud computing presents to enterprises.\nClouds on the horizon\nCIOs have been tasked to plan and select Cloud Service Providers (CSP) in order to sort through the challenges and complexity of cloud adoption. To provide guidance with this, KPMG International has developed a CSP evaluation framework.