Enterprises looking for a cloud provider face an embarrassment of riches as there are so many options to choose from. So how do they decide? The short answer is that they shouldn’t start with technology.

“It’s become a very crowded cloud provider market,” said Microsoft’s assistant general counsel Dennis Garcia in a recent web cast. “The cloud technologies have become increasingly mature, and companies are realizing there are lots of business advantages to moving to the cloud.” Advantages include cost savings, improved collaboration and increased productivity, he said. “You can even be more secure, assuming you are working with a trusted cloud provider.”

Garcia sees cloud providers falling into one of four categories: traditional IT providers, such as Microsoft, Oracle and IBM; companies that describe themselves as being born in the cloud, such as Google and Amazon; smaller providers that haven’t been in the marketplace too long, such as Dropbox and Box; and, finally, there are those that weren’t traditionally in the IT business but have shifted, such as telephony companies like AT&T.

One of the challenges facing enterprises as they try to select a provider is understanding how to find a trusted one, said Garcia, which is complicated by the fact there is no single set of laws government cloud computing. For example, “there’s now singular data privacy law out there,” he said. “This whole area is changing and evolving as we speak.”

Garcia frequently tells customers the regulatory landscape for cloud computing is in fact cloudy. He said Microsoft is trying to be proactive in encouraging governments to enact laws to deal with the modern-day cloud computing world. One promising new piece of legislation in front of U.S. Congress is the Law Enforcement Access to Data Stored Abroad Act. “This is a great step in the right direction to clarify the rules.”

If an enterprise has made a business decision to move to the cloud, said Garcia, its key goal should be to work with a trusted provider. “You need to spend a fair amount of time conducting a thorough investigation of a potential cloud provider.” Organizations should identify a team of professionals within the company to do that work, he said.

There are four key stakeholders that should be involved, including the in-house legal team, a data-privacy law expert, someone focused on information security, and a representative from your risk management and compliance team. “You want to get these folks involved early and often,” said Garcia. “Don’t wait until you’ve actually signed the contract.”

These people should be the ones to do the due diligence, he said, and recommends following a framework that addresses four key considerations. The first is working with a cloud provider that has truly transparent business practices. Second is how the provider protects data. Third, enterprises should work with a provider that is really focused on compliance and can provide a pathway to help you be compliant. The last is control, said Garcia. “You want to work with a cloud provider that is going to enable you to continue to own, control and get access to your data even though it’s in your cloud environment.”