The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks? This talk will provide a more ‘down-to-earth’ and expanded version of presentations previously given at InfoSec, IT Web South Africa and the Cloud Computing World Forum to look at how customers often do not classify their data sufficiently and end-up backing themselves into an ‘all-or-nothing’ approach to cloud computing; it will discuss how customers often fail to take an objective assessment of the risks of moving to the cloud by not baselining on what they currently do on-premise; we'll look at the role of certifications such as SAS-70, PCI DSS and ISO 27001 in a cloud computing context; why 'right to audit' doesn't scale; look at why internal clouds are infrastructure vendor marketing bull; and to manage the conflict between a business' desire to outsource with the IT department’s wish to protect it’s influence. We will finish up by disclosing some of the tricks used by cloud computing vendors to ensure transparency of internal processes remains 'opaque', and how to avoid them.