In addition to the underlying value of (read: the cost of acquiring and maintaining) all that data, there's the risk of losing control of it. Nobody wants to have the company name in headlines about hacks into the customer records database. So keeping secure custody of the data at every part of your IT supply chain really matters. And this is tough to enforce across international borders unless you own the facilities and employ all the workers. On this front, subcontractors are tough enough in your own country.
There's also the issue of regulatory compliance. PCI audits, HIPPA, FERPA, and eTrust may seem hard enough, but there's another one that many companies don't know about. The European Union's personal information privacy directive (95/46/EC) has some pretty specific requirements regarding safeguards, but it goes further with process controls around handling any information that can identify a specific person. Most U.S. companies use a safe-harbor strategy that is easier to achieve, but even this approach means tight process controls for any IT function that stores or manipulates "personally identifiable information." It's not entirely clear whether the theory behind the safe harbor strategy works with offshore operations. This is an area of active legal interpretation, so you'll need to consult with your attorneys (certainly don't interpret this article as legal advice!).
So what can you sensibly offshore in cloud-based CRM projects? Classic software development of classes, triggers, and other infrastructure code can be routinely offshored.
Slideshow: What is Cloud Computing?
When it comes to user interface screens, security settings, and report/dashboard design, however, this is best done right next to the users. Even being in another building may be too far away. For the same reason, final acceptance testing has to be done in country, even though unit, system, and performance testing can be done entirely overseas.
Much of cloud system administration can be offshored as well, although you'll need a tight ticket reporting/case management system to get the best leverage. But some parts of administration — particularly full-system backups and record deduping — really can't be offshored. There's just too much risk in the completeness of the information.