[dijit]

This conversation will become quickly fruitless because everyone is different levels of risk averse.

For me, I can say plainly: "this piece of equipment has these access controls, both physical and virtual and we have various radio frequency dampening systems" etc;

For you, you can think about outsourcing that responsibility.

There's no "right" answer, some cloud providers may indeed have much stricter access controls than I could ever have (for instance, budgets may require my servers to exist in a physically shared space, albeit in my own racks; those racks being porous to allow airflow). But ultimately you will never have more control than if you have complete ownership and audit capability of all systems.

I'm sure many people have lived in the same regulatory hell that I have; and I wouldn't argue that the regulatory hell is easier in the cloud or otherwise; I would instead argue that if I was the CIO; I would sleep better knowing I had done my job and not attempted to outsource the responsibility and wash my hands of it, which is what you're effectively doing, even if you trust the cloud provider, even if they've shown good faith- it's no longer your eminent domain to oversee.

[acdha]

Right: my point is simply that you have to start with a threat model and make reasoned decisions based on that and your budget. “always argue” is the same as “wrong for a significant number of people” even if it's right for your particular circumstances.

[dijit]

"Always argue against" does not equal "never give in".

But I can see how you read it that way.

I would definitely challenge you on 'wrong for a significant number of people' because if you're focusing on security then it's likely a core principle; and therefore you need to understand and be able to effectively argue your case.

And that doesn't matter if you agree with my position or not for that last point to be true.