You probably know by now that the economics of the cloud are compelling. The economics of the public cloud are even more so, because you let go of a lot of capital resources and risk.
But about all that risk: Is it too risky to host your applications in the public cloud? There was a time, perhaps, but we're well past it. The major public cloud providers have very mature platforms and vast pools of expertise, and security vendors are building out their cloud expertise, as well.
Even large, sophisticated, and security-obsessed institutions like JP Morgan Chase are using the public cloud. Last year, Deutsche Bank reported that public cloud adoption among big banks was widespread. And it's not just banks. Last year, Johnson and Johnson announced a major commitment to the public cloud. Both JP Morgan and J&J plan to use multiple cloud providers. So if you choose to go with a public cloud, you won't really be a pioneer.
Clearly, these very large and cautious organizations are comfortable with the viability of the public cloud. They haven't gone into detail on exactly how they do it, but they are almost certainly using the same features available to everyone from Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Public cloud deployments are extensions of your own network built on the public cloud. They have access to the public cloud's features but connect through secure, encrypted channels to your own network. You can extend your own IP addresses and DNS into this network and manage it with the same tools you use for your in-house systems.
If an IPsec VPN connection between your network and the cloud isn't comforting enough, you can get direct fiber optic connections from your data centers to the cloud providers.
In many cases, you can, and should use the same next-generation firewall security solutions that are deployed to protect your data center, following similar best practices of separating apps and data. Attackers do not care where their target resides - they only want to achieve their goal of stealing data, IP, or computing resources. Your public cloud deployment should be protected as vigilantly as your data center. The ability add layers of security should provide a higher level of comfort, because the customer is exercising their role in the shared security model of maintaining exclusive control over the management (and security) of the environment.
It's also likely that the major banks are using more than one public cloud provider in order to spread their risk even further, and this is an option for you, as well.
This multi-cloud option raises an important related issue of whether you want to take advantage of proprietary features in specific public clouds, such as AWS's serverless Lambda platform, or treat the clouds largely as naked infrastructure. With the former, you may be able to build applications more optimized for the cloud, but you've also surrendered to vendor lock-in. Stay generic, and you can move your application between clouds, or run in more than one.
Finance and healthcare are probably the two most heavily regulated and scrutinized industries in the US, and they think it's both safe and advantageous to deploy important applications to the cloud. If they can do it, so can you.