According to Henderson, private external clouds with VPN support are secure, with one major caveat: If a system boots on a SAN, it can be difficult to verify that externally connected storage resources are encrypted and secured.
Additionally, physical security at cloud service providers should be checked out. Certification under Sarbanes-Oxley is now commonplace, Henderson writes, but those standards are at best a starting point. Nevertheless, the expert says that there is at least a moderate level of physical security in place at most cloud providers.
Henderson also notes that, while many cloud service providers offer varying levels of encryption, the general attitude among vendors is that the client should provide any such security desired. This hands-off tendency has been remarked on by other cloud computing experts, as well.
Some pundits say that top-to-bottom encryption is likely to become a standard feature of cloud services in the near future, but – regardless of which side it comes from – all agree that it's crucially important for data protection.
-McAfee Cloud Security