Shhhhh, you're not supposed to talk about that.
As pointed out, you are signing up to a service which in many cases explicitly excludes any promise regarding security - and are them putting information on it which you have a legal requirement to keep secure. There is a fundamental disjoint there - unless there are specific (and plausible) security measures/guarantees in place on the part of your cloud provider, then it would be unlawful to use the cloud for anything subject to any of our (UK & EU) privacy laws.
For some reason, comments I've made to the manglement on this haven't gone anywhere.
As an aside, Microsoft allow you to specify where you data will be held - so for example we (as a UK business) can explicitly keep our data in the EU. There is a flaw in this though which still hasn't been properly explored ...
ALL this MS cloudy stuff uses a single signon system, and that means that the keys to the kingdom are not kept in the EU. When they had a global TITSUP event with Office 365, it became clear that the problem was in fact down to some of the sign-in servers being down, and they were (according to comments) located in the USA.
Now MS fought the US government over the access to emails held in Ireland case because it makes good PR for them. I can't help thinking it was PR, because with the way things are setup, I fail to see how the US parts of the system can be thought to be immune from a US TLA rocking up with a "give us access" letter - ie "we don't care where the data is stored, just log us into the user's account".
Biting the hand that feeds IT
