Years ago everything was stored in the data center and protected by firewalls, routers, DMZs, IDS/IPS solutions, etc. Recently the "cloud" has become very popular and SaaS vendors are popping up every where. To me this poses a big risk to company data. When we were in the data center we trusted our team - a small handful of skilled folks to harden and secure systems. For the most part we knew who was accessing what and when. We could protect remote access with controls and prevent access to systems by employees over the Internet. Now, this new cloud model allows anyone to connect from anywhere at any time. Information is no longer safely stored on our network. It is hosted and shared with other companies and individuals. Back end databases could be mingled with other customers, unauthorized vendor employees could have access to our data, flaws may exist in systems, web services could be vulnerable to numerous attacks and networks may not be protected or configured properly. It's a tough decision to chose a hosted or a vendor supplied solution to implement. It is my job to do the best I can to protect the company data but I also have to play the CYA game too. I am curious to find out how many follow the guidelines in the "Vendor Provides" Element under the SKiP section? Initially the answer to the question is obvious but how detailed and how far do you go. That's what I would really like to know. What are the not so obvious questions to ask?