Beyond managing risk through contracts (Section 2.1 Data Governance, CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0), you can exercise control over your data stored within cloud resources. Several cloud services are intended to overlap or replicate from your on premise systems to cloud services, allowing greater consistency in management and data governance.
Identity Management is central to this approach, with Domain 12 of the guidance outlining strategies for replicating or sharing identities, as well as access control options like Single Sign-On and Federated Identity across cloud providers. Supplementary controls over data access are provided by bring your own key (BYOK); you can import your own keys into software based key management systems, or into dedicated Hardware Security Modules provided by the cloud vendor.
Note: This material is drawn from Thales eSecurity White Paper: “Best Practices for Secure Cloud Migration. Leveraging Cloud Security Alliance Security Guidelines.”