Encrypt Early and Often
While nobody is going to argue its value in this cloudy day and age, true end-to-end encryption is still relatively rare in most real-world cloud implementations. For those who plan to encrypt, it is important to understand the effectiveness of available controls over a provider's encryption capabilities. IT managers should be able to confirm that sensitive data is encrypted everywhere, including when it's in transit, in use within the application layer, and at rest – whether within a database or file system, or in an archive or backup.
You should have tight control over your keys: Some keys may be held by your managed services provider for convenience, but ideally you should retain the keys within your organization's sole custody whenever possible. Furthermore, your data should be encrypted at rest before migration to the cloud begins. CSP's who are serious about security can provide this as part of their on-boarding services portfolio.