Questions to ask cloud computing providers

• Are cloud computing users allowed to view the cloud provider's third-party audit reports?

• Are the results of internal and external audits available to users at their request?

• Does the cloud provider conduct network penetration tests of its cloud service infrastructure regularly as prescribed by industry best practices and guidance?

• Does the provider have the ability to logically segment or encrypt customer data so that, in the event of a subpoena, data may be produced for a single user only, without inadvertently accessing another data?

• Can the cloud provider logically segment and recover data for a specific customer in the case of a failure or data loss?

• Is the cloud provider able to sanitize all computing resources of user data once a customer has exited a particular cloud?

• Does the cloud company provide documentation that describes scenarios where data may be moved from one physical location to another?

• Does the provider encrypt user data at rest (on disk/storage) within its environment?

• Does the cloud provider use encryption to protect data and virtual machine images during transport across and between networks?

• Does the provider have anti-malware programs installed on all systems that support the cloud service offerings?

Source: Cloud Security Alliance