At minimum, the answer to this should include firewalls, DDoS protection, and authentication.
What else? It depends in part on what type of cloud service you are buying, e.g., platforms, virtual machines, OS instances or specific applications. For some, the provider should include anti-virus/anti-malware and other network/content filtering — but for other services, this will be up to you.
Since the provider is likely using virtualization and or containers, don’t forget to ask about security at the hypervisor and OS level.