If you had asked about cloud solutions as little as 5 years ago, you would have gotten a very different response......likely something to the effect of "We'll NEVER use a cloud based solution...". Today, across our entire corporation we have a multitude of cloud solutions in place, and within the Legal Department in particular we use cloud based services for Matter Management, eBilling, and Board of Directors Portal. It's reflective of the fact that both vendors and cloud service providers have significantly upped their game when it comes to providing secure solutions and environments.
Before engaging in any cloud based service or solution, it's vital that senior management be engaged and understand fully the risk profile of the service or solution being provided, as well as the risk profile of the service provider AND the cloud provider if they aren't one and the same. Our company has a very detailed process by which all new technology solutions are evaluated and communicated that includes a thorough (some might say too thorough) engagement analysis and communication/sign off from senior management. In my experience, each time we suggest a new cloud based solution, the approval process is easier than the last.
The standard third party management process here gets kicked into a higher gear for cloud engagements. Depending of the sensitivity of the information involved, and the importance of the engagement, the process calls for an in-depth review that consists of 231 questions across 7 domains:
Access Control - Physical & Logical
Business Continuity Management
Communications & Operations Management
Organizational & Program Management
Risk & Compliance Management
Information Security Incident Management
Being in a highly regulated industry, in addition to internal management direction to improve the security and reliability of our solutions, we have had significantly increased regulatory scrutiny around all third party relationships - especially cloud solutions. The bottom line is that we are required to hold our third party providers to the same standards as we follow internally - and must be able to prove our due diligence.
As a general rule, my company will only invest the time and money on software development if it's a product that is going to separate us from our peers in the marketplace. For all other applications, we lean towards vendor solutions and more and more that means cloud based SaaS solutions. For software solutions that aren't our specialty, cloud providers are regularly cheaper, more reliable, and as secure as the systems we run internally.