Nowadays, you can manage a software company almost entirely with online services. Whether you want to manage projects, emails, repositories, bugs, or anything else, you've got plenty of options. Most of the time, in addition to being time savers, using Cloud services also help you save quite a bit of money. Can we, however, really trust those providers with our data? By hosting it yourself, you only have to trust your employees; by hosting it elsewhere, you have to trust all those other companies and their employees that you know nothing about.
This is a really hot topic at my job. I believe that Cloud-based solutions can really benefit a small company, but sometimes I wonder if I’m being too naive. On the other side, I don’t think all the fears of having your data stolen are really founded and that most of the time, it’s just paranoia kicking in. Even if the content was stolen, would it really be such a big deal most of the time? I will try to list the pros and cons of each option to help understand the issue. I do not aim to reach a conclusive decision, as I do not believe there's a single right answer.
Using Cloud services
Putting your data online makes it vulnerable from two angles: the employees at the company hosting the content can access it easily or hackers can steal it directly by breaking through the defenses of the service provider. It does not matter if the hackers were aiming for your data or for someone else's (for example, the recent Sourceforge attack), your data was compromised nonetheless. The security of your data is entirely in the hands of other people. The upside of using Cloud services is that you don't have to manage the IT infrastructure required to handle whatever type of data you have. You don't need to buy any hardware or to hire staff to keep it running and secure. For a small corporation, these two expenses are far from being negligible. Cloud services also often offer better options than self-hosted ones.
Using self-hosted solutions
Hosting your content yourself means that you're in control, you know who accesses the data and you know how it's managed. You only have to worry about your own employees (which I hope you trust more than any other employees) and from attacks directed straight at you. You don't have to worry about Google being hacked, about BitBucket or GitHub leaking their users' data, etc. The downside is, as stated above, that you need to purchase the infrastructure yourself and to hire the staff to maintain it. Furthermore, the security is unlikely to be stronger than what the service providers offer unless you truly invest in security yourself. As this article about Cloud security puts it:
[...] Cloud-based solution vendors not only have the latest technology, the latest firewalls, the best datacenters and the highest levels of redundancy possible but they will apply multiple layers of defense in-depth that your average business (a Fortune 500 company may be an exception) can never have.
I am personally sold to Cloud-based solutions, the simplicity of use, the relatively low-cost and the debatable higher security makes it an easy decision for me. I'm not suggesting that jumping in the first service provider that offers a valuable service is a good idea; I think that learning more about the company hosting your content is a necessary precaution, but if other companies are using it, are satisfied with it and there are no horror stories about the vendor, consider me sold.