The Dirty Secret of Cloud Hosting Service Providers
Until the providers can disclose the magnitude of the NSA backdoors, ALL of the major cloud providers must be designated Pre-Compromised. A backdoor is a backdoor, encryption is nice but when an organization can throw 3 trillion brute forces a day at the cypher, how long will that hold up. (yeah, like tissue paper)
So why is this such an issue? It's not that the malicious elements are going to go after the NSA repository, that would suicide. Rather they want access to the big sucking portal of a back door. While man-in-the-middle intrusions are probably already covered, you can bet all kinds of data-center escalation access are high target.
But it's the NSA, What's the big deal? Read the fine print of HIPAA compiance. Lawyers with suits against the federal government can kiss attorney-client privledge goodbye.
Public cloud does have a place, a good rule of thumb is "if you would not be bothered seeing it splashed across Facebook, then cloud is good for handling that data."
*note - I am using Facebook as relative measurement of exposure, not in the litteral context.
My point is until a provider can guarantee, with full disclosure, the actual security design of it's infrastructure these discussions are moot. They are inheirently Not secure.