- the ability of the cloud provider to protect data from being accessed and possibly stolen by the staff of the provider and their agents; and
- the ability of the provider to protect against malicious external attacks.
The first risk, agency risk, is amplified in the cloud because it is so easy for supply chains to lengthen to a point well outside a customer's control, and it is very easy to move virtual machines between cloud providers. Backup copies of your data could end up with a multitude of cloud providers over just a few years.
The answer to mitigating agency risk is twofold. Firstly, ensure that the contract you enter into with a cloud provider or outsourcer ensures that all sub-contractors of the provider are covered by the same confidentiality, privacy and professional liability conditions your provider guarantees and that the sub-contractors are forced to guarantee these same conditions are contracted down the supply chain. Secondly, you should encrypt all sensitive data, possibly all data, in the database using the encryption methods supplied by your RDBMS or, industry-standard 2048-bit public-private key encryption. This way, even if someone does maliciously access your data, it is encrypted to a level impossible for an individual acting alone to decrypt.
Addressing the risk of hacking is always problematic. Given the security flaws that are regularly discovered and addressed in Microsoft Windows and that may exist in other operating systems, this is a problem for everyone with an IT system connected to the internet. The first thing you need to do is research and investigate the security practices of your provider. Most of the big providers, such as Amazon, Google, Microsoft and SalesForce have large security teams dedicated to protecting their cloud systems from hacking attempts and have the best firewalls money can buy. Their ability for success is likely to be much greater than smaller organizations and those who do not have IT as their primary competence. Even smaller cloud organizations are likely to have devoted much time and money to security. If you're in doubt of an organization's ability to protect your data from hacking attempts, you need to make them demonstrate that their security practices are robust. Ask them about the firewall they have implemented, how many security staff they employ and what measures they take to actively detect and protect against malicious attacks.
Following these few simple rules will ensure your cloud experience is as secure and risk-free as it can be and should ensure that security in the cloud is as good as you could provide yourself.