There\u2019s no easy path to the cloud for large companies with decades of legacy IT investments.\n\n\nRoughly 20 percent of Progressive Insurance\u2019s business applications run in a SaaS model, while 80 percent run on the company\u2019s own hardware. On the infrastructure side, Progressive uses IaaS, but mainly for experimentation.\n\n\nIt would be \u201ca whole new ballgame\u201d if Progressive were some medium-sized business that didn\u2019t have an extensive data center footprint, says CIO Ray Voelker, but \u201cwe already have assets we own that we can leverage.\u201d\n\n\nChris Drumgoole, chief operating officer for cloud at General Electric, says legacy is \u201cwhere it\u2019s more interesting for us; we need to be more thoughtful there.\u201d Most new apps -- over 90 percent of those deployed so far this year -- have been in the cloud. \u201cThat\u2019s the de facto place to deploy apps for us,\u201d he says.\n\n\n[Related: How to Explain the Cloud to End Users ]\n\n\nBut for a substantial number of the 9,000 apps GE has in its infrastructure, a decision will need to be made about whether to move the app, kill it, consolidate multiple apps or allow the software to stay on some sort of legacy system. \u201cWe\u2019re hoping by 2016 to have made all those decisions and started action\u201d on whatever the decisions are, Drumgoole says.\n\n\nThe burden of legacy systems is just one challenge that adds to the complexity of cloud computing for large enterprises. CIOs and cloud leaders wrestle with many other common challenges, including security, vendor lock-in, and shadow IT.\n\n\nDow Chemical knows firsthand that it can be difficult to change cloud providers. The company is in the process of moving to a new human capital management provider, says David Day, director of WorkPlace Services at Dow.\n\n\nBut switching clouds isn\u2019t as easy as vendors lead people to believe. \u201cProviders don\u2019t talk to each other. It\u2019s complicated,\u201d Day says. The market needs better \u201corchestration tools,\u201d as well as standards, to allow companies to move more easily from one supplier to another, he says.\n\n\nThat said, it is generally less expensive to switch providers in the cloud than it is to change on-premises vendors, Land O\u2019Lakes has found. \u201cThere is a cost,\u201d says Mike Macrie, CIO. \u201cBut where it can cost $10 million to change on-premises ERP, it costs $2 million in the cloud. The barrier has come down.\u201d\n\n\nLock-in is always an issue, says GE\u2019s Drumgoole. \u201cWe\u2019re cognizant of the potential for lock-in\u201d and are trying to mitigate that. For one thing, there are multiple cloud providers in each category of service GE deploys.\n\n\n[Related: The Truth About Enterprises and the Public Cloud ]\n\n\nThe company has also developed a service rail, which provides a raft of services needed by just about every application -- from identity management to Domain Name Services and time and date. \u201cYou can use that GE service the same way whether you\u2019re on an Amazon, Azure on VMware cloud,\u201d Drumgoole says.\n\n\nSecurity remains a universal concern \u2013 though some CIOs are more bullish about cloud providers\u2019 handling of it.\n\n\n\u201cSecurity is one of the more complex problems to solve. To really put together an effective solution, you need to cobble together 5-6 solutions,\u201d says Randy Spratt, CIO and CTO at McKesson.\n\n\nMcKesson relies on a suite of tools, from antivirus and malware to secure web gateways. One of its more unique features is for data loss prevention: McKesson inspects data in motion, looking for transactions or records that contain protected health information, such as procedure codes and social security numbers. It halts any transaction that triggers a red flag, Spratt says.\n\n\nLikewise, Humana relies on multiple tools and tactics to protect individuals' information. Before engaging with a cloud-services vendor, Humana assesses the provider\u2019s security framework \u2013 what tools they use, the general approach to security, how encryption is handled, the ability to ensure information never leaves the continental U.S., and a whole host of other things, says Brian LeClaire, CIO at the health insurance provider.\n\n\nOn the positive side, cloud providers understand that legal and security issues are some of their biggest obstacles, so they\u2019ve really concentrated on addressing those issues over the last several years, says Wayne Shurts, CTO at food distributor Sysco. \u201cThey have pretty good answers.\u201d\n\n\n[Related: Is It Time to Move Your Databases to the Cloud? ]\n\n\nAlthough some skeptics worry about security and risk in the cloud, Whirlpool CIO Michael Heim says those issues are improved by cloud computing because the vendors stay up to date on the latest technology. He points out that the infamous breach at retailer Target was a problem of internal systems, on premise. Security problems arise from \u201chow you\u2019re managing, not where it is,\u201d Heim says.\n\n\nWhirlpool today is much less conservative about using the cloud that it used to be. Amazon and Google have come a long way toward being enterprise-friendly, and corporate legal teams have come a long way in their understanding of cloud, Heim says. IT\u2019s role is to communicate and demonstrate how the cloud meets business requirements. \u201cPeople worry about risk and security \u2013 [but] you improve security and de-risk your environment with cloud. I also believe you improve your ability to compete,\u201d Heim says.\n\n\n\u201cThe big challenge is that it\u2019s just different. You have people thinking in old models, not new ones.\u201d\n\n\nAnother challenge that IT teams seem to be getting a handle on is end users purchasing unauthorized cloud services.\n\n\nShadow IT is less challenging than it was a few years ago, when cloud vendors would pitch that customers could be up and running without involving IT, says Steve Phillips, CIO at Avnet. Today Avnet\u2019s IT group is more in step with the business. When business units want new tech, they will talk to IT first, Phillips says. \u201cWe rely on quality of relationships as governance.\u201d\n\n\nAvnet has found ways to relinquish some control without sacrificing security. If a cloud solution is easy to use and configure, Avnet will turn that over to a business group. Workday, for instance, is a clearly controlled environment, but HR primarily manages it, Phillips says. \u201cWe don't need to be in the middle of that, if the tool is intuitive enough and secure enough.\u201d\n\n\nStill, rogue cloud purchases remain a concern. "Shadow IT these days is only a credit card swipe away," Phillips says.\n\n\nOne way Progressive Insurance has helped manage the issue of shadow IT and give its employees access to public cloud resources is through a program called BIG, which stands for the \u201cBusiness Innovation Garage.\u201d It\u2019s a software application that acts as a portal for members of the Progressive team to request services.\n\n\nIf the request involves using sensitive customer or mission critical data, then usually those resources will be provided from the company\u2019s own data center. If it is a non-sensitive issue, then the software can help users provision resources in a public cloud setting. There are a couple of \u201cmechanics\u201d who help users navigate and provision resources in the Garage, says Progressive Insurance CIO Ray Voelker.\n\n\nVoelker raises another concern: the \u201ctransfer of brand risk.\u201d If Progressive were to suffer an outage because of a service provider, then Progressive would bear the brunt of the blame for the outage, even if it were the service provider\u2019s fault. Voelker cites the example of a Netflix outage on Christmas Eve in 2012. It was an Amazon Cloud outage, but disgruntled viewers blamed Netflix. \u201cIn that scenario, I\u2019m Netflix,\u201d Voelker says.\n\n\nSimilarly, SAIC raises the issues of cloud providers\u2019 lack of shared liability. "If there's a $4 billion bid, and it's not available at the one moment I need to bid, that's a problem," says Charles Onstott, CTO at the systems integrator and technology services provider. A vendor's $3 credit for downtime won't make up for the loss, Onstott says.\n\n\nFor Campbell Soup, one of the biggest challenges of cloud is limited choice. Customization can detract from the appeal of cloud, since it necessitates developing and maintaining custom code. If you want choice, you\u2019re creating complexity that doesn\u2019t add value, warns Joe Spagnoletti, CIO at Campbell\u2019s.\n\n\nRelated to that issue, some CIOs question the enterprise-readiness of certain cloud offerings.\n\n\n[Related: Cloud Wars Heating Up in 2014 ]\n\n\nNationwide CIO Greg Moran is surprised how immature some first-generation cloud solutions are when they\u2019re launched into major enterprises. \u201cWe're finding solutions aren't as mature as we're used to,\u201d Moran says.\n\n\n\u201cI'm surprised at how flat-footed traditional large scale IT vendors have been on the topic,\u201d Moran adds. Oracle, HP, IBM, Microsoft, \u201cpick your company,\u201d he says. There are a lot of solutions from small, innovative companies, but Nationwide isn\u2019t keen on working with dozens of smaller players. \u201cIt's just not really practical for us to have 50 relationships; we need deep partnerships with quality partners.\u201d\n\n\nSAIC, too, is aware of the shortcomings of some cloud services, but it\u2019s not stopping the services company from diving into the cloud.\n\n\n\u201cNone of the apps are all the way there, certainly not for a $4 billion company,\u201d says Bob Fecteau, CIO at SAIC. For example, he knows ServiceNow, a cloud-based IT service management platform, may be taxed as SAIC puts it in more employers\u2019 hands (via its commercial cloud line of business). But for SAIC, working with the vendor is an opportunity to guide that investment into a better future, Fecteau says. \u201cCloud still needs to evolve.\u201d\n\n\nIn the mean time, enterprises can wait and, ideally, remain in a position to influence the cloud providers\u2019 R&D lifecycles, Fecteau says.