• Are cloud computing users allowed to view the cloud provider's third-party audit reports?
• Are the results of internal and external audits available to users at their request?
• Does the cloud provider conduct network penetration tests of its cloud service infrastructure regularly as prescribed by industry best practices and guidance?
• Does the provider have the ability to logically segment or encrypt customer data so that, in the event of a subpoena, data may be produced for a single user only, without inadvertently accessing another data?
• Can the cloud provider logically segment and recover data for a specific customer in the case of a failure or data loss?
• Is the cloud provider able to sanitize all computing resources of user data once a customer has exited a particular cloud?
• Does the cloud company provide documentation that describes scenarios where data may be moved from one physical location to another?
• Does the provider encrypt user data at rest (on disk/storage) within its environment?
• Does the cloud provider use encryption to protect data and virtual machine images during transport across and between networks?
• Does the provider have anti-malware programs installed on all systems that support the cloud service offerings?
Source: Cloud Security Alliance
While cloud computing may seem vague and confusing, the National Institute of Standards and Technologies recently completed a working definition for the term after years of work and 15 drafts.