Restrict access to Corporate Applications that perform high value transactions, e.g. revenue reporting, applying discounts, or user management.
Protect your critical data, e.g. financials, legal and trade secrets, that don't belong in a Dropbox™.
Build an agile Software Defined Perimeter (SDP) around your applications, no matter where the server might be located (in your own datacenter or AWS or Azure).
Do not provision broad network level access via old-school VPN to everyone. Follow the principles of "least privilege access" and reduce the security risk to your organization.
Zero Trust on the network. Instead, build a Trustable Application Overlay (TAO). Move the trust to the device and the user. Provide pricision Application access without granting a free-hand Network access.
Remember to read up on the Shared Responsibility Model followed by IaaS providers such as Amazon AWS, Azure, Google, Oracle, Rackspace, DigitalOcean and such. Cloud infrastructure providers DO NOT protect your applications and data.
Protect your critical applications from several classes of attacks - Denial of Service (DoS), Credential Theft, Server Exploitation, Connection Hijacking, APT/Lateral Movement, TLS attacks (e.g. Heartbleed, Poodle, Freak) and other such vulnerabilities that keep propping up every other week.
Most impotantly, rest assured that TrustedPassage actively upgrades to the best-of-breed security infrastructure in the cloud, so you don't have to.