Yet as Craig questions, are such reservations based on a trust issue, or reasonable analyst of actual security capabilities?
Research suggests that to date, there have been very few security breaches in the Public Cloud with most attacks continuing to involve on premise data centre environments.
While the attacks on Apple’s iCloud website in 2014 made the headlines across the world - playing into the narrative of cloud being an unhinged platform - Craig says businesses are now realising that security sitting outside of the IT department should be considered an unacceptable or unmanageable risk.
“I spend about 60 percent of my time working with customers from both the public and private sectors helping to unpack the misconceptions around cloud,” he adds.
For Craig, it’s a process that involves many lines of questioning; “What should businesses be thinking about? What are the nature of the risks? What are the security and privacy considerations?”
But perhaps crucially, Craig believes it’s important that businesses understand the risks they are currently exposed, before jumping to the wrong cloud conclusions.
“It’s wrong to assume that the current situation is one where risk is properly understood and properly mitigated,” he warns.
Yet despite vendor assurances, organisations remain bound by news that cybercrime is a constantly evolving and ever-increasing challenge for business today, costing upwards of $450 billion per year, impacting 12 people online per second.
Despite being several years into the cloud computing paradigm shift, the market continues to be suffocated by an air of agitation and anxiety - endorsed by a rising tide of information security investment, with spending forecast to reach $75.4 billion in 2015, an increase of 4.7 percent over 2014.
“There’s a range of cloud providers and a range different services available in the market but it goes back maturity,” adds Clarke, who believes the “glaring issues” of the cloud are no longer relevant in 2016. “Due diligence is always required but companies are not moving from nirvana, and neither are they moving towards it.
“Businesses must be realistic about the security risks they accept on a day-to-day basis today, and what they will accept on a day-to-day basis tomorrow.”
Echoing Clarke’s comments, Craig believes IT managers must display a “conscious understanding” regarding what their business is leaving behind when moving to the cloud, and subsequently, where they are heading to.
“How do these risks substitute for one another? And how can this risk be effectively mitigated?”
Throughout boardrooms and IT departments in New Zealand, security and privacy are often mentioned in the same breath.
“Moving to the cloud boils down to trust, control and transparency"
For Craig however - in assessing the cloud landscape in New Zealand - privacy is moving up the command chain, playing a pivotal role in the decision making processes of organisations contemplating the cloud.
But as Craig observes, irrespective of the herculean efforts cloud providers make to secure environments and provide privacy assurances, will companies ever be willing to trust?
“It boils down to control,” he claims. “If you’re a business and you’re shifting your entire workload to the cloud, that’s wonderful but you think you’re losing control. Then the conversation progress to no, you’re actually not losing control.
“Rather, you’re gaining much greater control through what the service provider puts into your hands and the commitments they make in terms of what they will and won’t do, and what rights you have as a customer.”
Often regarded as the elephant in the room of IT departments, it’s a common misconception that by moving to the skies, businesses are relinquishing all data control.
Alternatively, as Clarke queries, is the loss of cloud control a valid fear?
“When it comes to the operating model, you get efficiencies by turning things off,” he claims. “It’s very difficult in most organisations to put compute power into the data centre but it’s very easy to turn on more compute power in a cloud environment.
“The tools are available to maintain this control but what are raw processes you’re going to now put in place that were different to before?
“How are you going to measure what’s running on a regular basis to provide the flexibility to turn things off and make cost savings?”
In this post-Snowden era, most analysts subscribe to the notion that cloud, and all it encompasses, is not inherently less secure than legacy infrastructure.
Yet by delving deeper, Craig suggests that the most justified concern is not of privacy, or security, but one of trust.
“It’s about the cloud provider saying this is how we approach privacy, this is how we approach security and this is how we approach law enforcement requests for data access globally,” he adds.
“Here’s everything we can possibly tell you about how we operate without breaking the integrity of the cloud. And that’s essentially saying, trust us.”
Building trust in the cloud isn’t an overnight, flick of a switch action because anytime an organisation turns to outsourcing, there’s a transference of trust from an internal to external environment.
It’s a valid concern for IT managers, with Craig saying that Microsoft’s view is that trust needs to be earned and supported by its customers understanding what control they have in the cloud.
"As well as providing customers with control through our contracts, that control results from us being transparent about everything we do around security, how we enable privacy protection, what we do and do not do with their data and how we comply with international standards and government and industry regulatory requirements," he adds.
"Essentially It’s about being transparent with your customers about who you are, what you do and how you do it. From our perspective, moving to the cloud boils down to trust, control and transparency.”
Check back for the second part of this Computerworld Question Time - The Future of Public Cloud discussion on Monday March 7, as the focus turns to creating a valuable checklist for businesses moving to the Public Cloud.