At the Business of Cloud Computing Conference, I caught a presentation by Marlin Pohlman, who noted that No. 3 on the Cloud Security Alliance's "Top Threats to Cloud Computing" list is malicious insiders. This serves as a good reminder that old-fashioned physical security issues require a lot of attention when you're considering a cloud service provider.
Just as a bank is a central repository for money and thus an attractive target for a robber, so is the data center of a cloud provider a central repository for valuable data resources and thus an attractive target for malicious hackers. So it's important to vet the physical security of a cloud provider's data centers. Here are some of the key issues to investigate:
Security policy. A policy typically details the mechanisms that the vendor has in place to prevent security breaches. An incident response plan typically details steps the provider will take should a breach occur. If the vendor has such documents, carefully review them. If it doesn't, that's a big red warning flag.