Infoworld have summarised Gartner's assessment of cloud computing security, listing the seven deadly risks of cloud computing. Key among them is number two on the list, Regulatory Compliance. Why indeed would you insist that your traditional service providers comply with regulations and undergo compliance audits, without subjecting cloud service providers to the same level of scrutiny? Indeed you might find you are bound to do so by the regulations in your industry.
Also one of the many perceived benefits of the cloud is availability and resilience of service, but are your cloud service provider's DR capabilities good enough? Are your data, transaction logs and applications all co-located, or are they stored and hosted in multiple, geographically diverse locations? Do they do DR at least as good as you could with traditional architecture?
Practically speaking, does your cloud provider introduce unacceptable security risks?