Its not rocket science to pick a cloud provider: Cut to the Chase.

Most of the vocal public cloud providers are "like a 5 year old, they run away" or start to babble when you open up a discussion on risk, compliance and security.

If a cloud provider won't let you model the network or get a full audit of servers (e.g. patching, virtual machine provisining, console activity), then one should choose another. If an organization can't understand the attack surface of the target operational environment nor identify vulnerabilities then they will likely be unable to access and accept the risk to operate (and meet fudicuary obligations).

Each industry will have its own set of impedence factors. The FDA imposes a set of critiera for a validated platform for healthcare/biotech. Federal agencies must deal with FISMA and the guidelines by NIST which I have have experience with. Government agencies start to ask tough questions when a provider builds their own hardware, let alone relying upon foreign supplied COTS components.

There are cloud providers that are making claims but security concerns will remain until there is an audit and verification. I would go with cloud providers that have had experience with enterprises and are able to offer a managed service components. The solution should be complemented with the right people that can speak to the issues.

A trusworthy cloud provider will transparent than not. They have to be willing to speak with you about their controls. In some cases, you need to exclude a provider if they can not provide a fully-managed offering - with physical server seperation. In other cases you mauy need a NOC with staff that has been thru back-ground checks. You will then have to assess and then select a cloud provider with say a separate NOC that is FISMA compliant. Some "cloud" provider are actually able to drop in a separate node for large Financial Services clients. But they still have to think about the economic costs, and unlikely to be "click-to-buy-to-provision". There is significant investment in the networking gear, patch panel, service management and capacity allocation where a public resource pool is adequately cut-off for private consumption. There would be contractual obligations to reserve and purchase resources e.g. 1000's of virtual / physical servers.

A check-list compliance appraoch with service providers will be necessary. Accenture has an assessment methdology and Cloud RFI survey that we've used with a number of cloud providers. The results would be verified with a site visit. Is the machine room isolated from other functions. Are there camera's on the peripheral of the building. Do they harden 'their" operating system before installing other applications.What is their process for applying patches/updates? Accenture is experienced in coordinating and supporting external security audits and can provide recommendations and guidance for security improvements and corrections.

Best practices carry over with cloud computing, especially with the concentration of high-value assets and the unknown threats of multi-tenancy and virtualization. Everything gets more fractrured and the operating picture (your understanding of cyber risks) change e.g. email traffic, user logins/behaviour, remote access traffic, building access, time reporting etc. If all types of customers (enterprise, small business and regualted) are using the same ingress and egress interfaces that may simply be unacceptable to some customers.

Its vital to understand the attack surface of the cloud and use an enterprise risk management framework to select security controls. Are there cloud providers and candidate for Financial services that make ssense in a cloud? It depends on your definition of a cloud and what they are providing. It will depend on what you are willing to give up. This starts with a risk assessment.