Anybody looking to strike up a heated debate among technologists need only ask, "Is the cloud private?" There is an old adage that, if you have to ask, the answer is "no." However, one can expect all kinds of responses to that simple question, from the technically savvy to the academic to the emotional. The simple answer: yes and no.
The cloud privacy debate hinges in part on the question of whether data is more private when it is stored locally or encrypted remotely. One could argue that, when an enterprise turns over its computing resources to a service provider, it will get all of the benefits of a full-time IT staff, multiple connections to the Internet, and 24/7/365 network management. The skeptic, however, will say that putting all of one's security eggs in one basket (in this case, the cloud provider) is problematic.
If your company opts for cloud services, remember that the cloud provider's first and most important responsibility is to make a profit and stay in business. As a result, a customer on a multitenant server could find its security impacted by others collocated on that server, though it remains within the security agreement it signed with the provider.
For example, let's say a company co-hosts its servers on the same physical box as 10 other companies at a service provider. Even though the provider might be doing everything right technically and legally, one of those other companies on the co-hosted server might be doing something illegal. If law enforcement issues a subpoena to obtain all that company's data, it could take your data, as well -- without you knowing about it in advance. In fact, some subpoenas can state specifically that the provider is not allowed to tell the target or others impacted by the investigation that their data is being reviewed. This could affect your business operations if the virtual or physical server on which your company's data is hosted is taken down by law enforcement.
There are other privacy vulnerabilities. Let's assume the service provider is using virtualization to separate each of the companies on the server. If one of the companies on that server were to go rogue and breach the hypervisor, it could gain access to the root and, therefore, all of the virtual servers connected to that hypervisor. The attacker could gain full access to all virtual machines on the server (including yours), steal private data, and be gone before the hosting provider realizes the breach.
An IT manager can avoid these vulnerabilities by simply hosting data on a dedicated server. But that will not take advantage of the benefits of the cloud, including the ability to move your data quickly to various servers for load balancing, disaster recovery, and more.
This does not mean that multitenant or cloud computing is not safe. Rather, good security practices are always necessary, regardless of where data is stored. For many companies, a cloud service provider can offer a higher level of security than a company could offer itself. A risk analysis that compares housing data locally or in the cloud will answer the basic question of whether to employ a service provider. If you're better off with a provider, bring in a strong negotiator when you draft the contract to ensure that the provider keeps your interests, and not its own, up front.
Remember that if there is a breach, regardless of whether you use a cloud provider or host data yourself, your customers will blame you for data loss. Your reputation is at stake. Since your ability to secure the cloud ends at the perimeter of your network, make sure your SLA and security agreements address technology over which you have no control. And by all means, make sure everything in the cloud is encrypted securely. There is no excuse for losing unencrypted data to a breach, locally or remotely.