"Companies must consider these aspects: data protection, identity management, vulnerability management, physical and personnel security, application security, incident response, and privacy measures," she writes.

For example, customers should seek information about the vendor's ; how the vendor protects data at rest and in motion; the vendor's documentation available to auditors; authentication and access control procedures; and whether the vendor has proper data segregation and data leak prevention measures.

There are still numerous questions to be worked out regarding not just security in the cloud but also liability. To avoid pitfalls, customers need service-level agreements that specify a set of "detailed liability conditions and consequences," Wang writes.

"The fact that the laws do not treat data in the cloud the same as data on-premise leads to complicated liability discussions," she writes.