Companies that migrate their apps (and their data) to the cloud remain responsible for the security of their data. This simple fact means that security must be a concern from the time that the first negotiations begin for the outsourced service. As this article says,
"It is important to understand:
- Where the data is being hosted. Data location needs to be part of the contractual agreement.
- Who is managing data in which locations, including data classification, identity access, privacy and response controls.
- How data is being segregated. The cloud provider should offer evidence that encryption schemes are in place and tested.
- Whether data will be accessed beyond the cloud provider's data centers such as the corporate office or remote locations."
Additionally, there should be some assurance available from independent auditors, such as a Service Auditor's report on the system. Lack of availability of such a report should be a show stopper.