steve smith-401573 (9/15/2011)
Assumptions to verify for the cloud:1. The security environment is suitable
2. SLA is ironclad and something you can live with
3. Response time performance to inquiries and issue reports is satisfactory
4. Transparency (3rd party audits, you ability to 'see into' the cloud) is acceptable
Given these four, then take easily isolated applications that are not terribly mission critical and send them skyward! If it's got truly sensitive information (e.g., corporate financials, PII, banking information, etc), then consider partitioning off a 'private cloud' either internally or with a boutique 3rd party vendor for whom the higher bar of assumptions 1-4 can be satisfied.
When all is said and done, the 'cloud' is just another tool in the toolkit. Use it when it's appropriate. You don't use a sledgehammer to remove a screw from a light switch so you can replace the switch. Nor do you use a pair of tweezers to pick up a 25 pound sack of groceries.
5. Backups and restores can be tested, including deliberately induced corruption recovery
6. The legal/seizure environment is suitable (if the FBI or whatever nation it's hosted in has their federal internal law enforcement officers enter the provider to seize a few racks of equipment, are the results acceptable to you)
7. You have a plan for pulling your apps and data off the "cloud" that's updated regularly (particularly as your data grows; you're not pulling 10TB of data off a 1Mbps connection in a reasonable timeframe).