When it comes to putting applications and sensitive customer data in public clouds, a highly-regulated industry such as financial services has every reason to look before it leaps.

In a survey released in March 2015 by the Cloud Security Alliance (CSA), the report’s authors cite two results as evidence of “added comfort and assurance” in cloud deployments and “maturity” in confidence in the cloud. One result is that less than one-fifth (18%) of financial firms still defining their cloud policies do not plan on using public clouds. The other result is that 70% of survey respondents have shifted from hybrid clouds to more public cloud services.

In other results, data security is predictably the main reason why financial services organizations do not adopt the cloud. Among security concerns, governance and data confidentiality predominate. The two most common enterprise cloud applications are IT development and customer relationship management (CRM). And respondents named a robust approach to security and threat detection as the most important way to maintain compliance in the cloud.

Close to two-thirds (61%) of financial institutions responding said they are still developing a cloud strategy for their enterprises, which indicates that cloud adoption is still in its early stages in the financial services vertical. Of those with established cloud policies, only 9% have a strict non-public private cloud approach. Of the 61% still defining their strategies, only 18% plan on not using public clouds.

The authors of the CSA survey note that these “two statistics show added comfort and assurance when practicing in the cloud and is an encouraging sign of maturity in cloud confidence.” Another sign of confidence for the CSA is that 70% of organizations with existing policies have moved from hybrid clouds to either a private/public mix, or to mostly public clouds.

Data security is the main barrier for not adopting the cloud. Of those survey participants who have opted not to use cloud services, 100% listed security concerns. The other main concerns were regulatory restrictions (71%) and public breach notifications (43%).

Regarding security concerns, the top five answers given by respondents clearly indicate governance and security of data are leading issues:

  • Data confidentiality (60%)
  • Loss of control of data (56%)
  • Data breach (55%)
  • Compliance and legal issues (51%)
  • Data loss (42%)

The applications that financial services respondents are adopting shed light on what they want to gain from the cloud. The top six are:

  • Application development/test environment (46%)
  • CRM (46%)
  • Email (43%)
  • Collaboration and content management (41%)
  • Storage, archiving, and disaster recovery 41%)
  • Data analysis and intelligence (41%)

The report authors point out that since no cloud application type was reported by a majority of respondents, this could be a sign of “substantial” growth for the enterprise cloud market.

The top five features that respondents wanted from cloud service providers are:

  • Better transparency and auditing controls (80%)
  • Better data encryption tools (57%)
  • Receipt of logs in real time (51%)
  • Remote service audits (48%)
  • Forensics and e-discovery (47%)

The top six steps essential for maintaining compliance in cloud deployments are:

  • Robust approach to security measures (e.g., malware detection, forensic readiness) (66%)
  • Auditing permission for incidents (57%)
  • Encryption of data at rest (46%)
  • Encryption or tokenizaiton of data (46%)
  • Penalty clauses in contracts for incidents (42%)
  • No customer and client data in the cloud (20%)

One noteworthy item is that small companies (with less than 500 employees) and large enterprises (more than 5,000 employees) had the highest cloud strategy adoption rates at 40% and 35%, respectively. 18% of companies in the 501-4,999 employee range had an established cloud strategy.

It surprised me that participants in the Americas had a rather low rate of adopting cloud strategies (28%). The figures for Asia-Pacific (APAC) and Europe-Middle East-Africa (EMEA) were 41% and 35%, respectively.

The survey attracted 102 participants and was conducted over 13 weeks during the fourth quarter of 2014. Respondents came from 20 countries: 59% from the Americas, 21% from APAC, and 20% for EMEA. 59% of survey participants had 5,000 or more employees, and 32% had a client base over 1 million customers. The survey was sponsored by enterprise security firm CipherCloud.

For additional details, download the full CSA report (PDF): How Cloud is Being Used in the Financial Sector.

Note: TechRepublic and ZDNet are CBS Interactive properties.