The sales pitch for cloud computing is simple

The sales pitch for cloud computing is simple: Companies pay a third-party vendor to run one or more of their systems, like email or payroll, spontaneously servers. In theory, the customers save a bundle on hardware, software and personnel costs and can devote those resources to boosting their business.

On the whole, it may be a better idea to move relatively simple and nonessential systems, like email and payroll, to the cloud first. Taking this step frees up some of a company's attention and resources, so it can focus on improving the business. And its tech team has a chance to get familiar with the cloud in a lower-risk environment.

Older licenses, to illustrate, may not cover off-site use. So, putting the programs on a cloud server could lead to an audit, fines and bad publicity. Some newer licenses, in the meantime, prohibit a crucial part of cloud computing—virtualization, where many different applications run on a single server.

Vendors store data based on projected usage. They might keep information that's in constant demand, like sales figures that reps need for client visits, on conventional servers. Data that isn't needed all the time—like the Internal Revenue Service's vast store of taxpayer records—might be encrypted, compressed and stored on tape at a remote facility.

Cloud vendor

A cloud vendor would need to put a system in place to manage all this, without burdening doctors, nurses and administrators with layer upon layer of access codes. Getting that done will mean higher costs—as will calling up those records when they're needed.

That said, companies can't simply hand off their systems to a cloud provider and assume that all will be so then. Businesses need to perform rigorous tests on the vendor's systems and watch how they handle potential problems. To illustrate, hackers may try to attack the client's systems instead of the vendor's, grabbing data as it's moving to the cloud. Smart vendors will help customers protect against this kind of attack.

Some businesses go even furthermore to make sure they're safe. Not only do they test their own computer systems and their vendor's, however they as well hire pros to do some real-world snooping—like trying to sneak into the vendor's facility to see how so then it manages security. Many vendors pride themselves on having lots of state-of-the-art cameras, biometric sensors and security guards with guns; security specialists put them to the test by trying to sneak onto the premises with fake ID badges and get access to the computer system from within.

Dr. Plant is an associate professor of computer information systems at the University of Miami School of Business Administration. He can be reached at reports@wsj.com.