Hosting solution for sensitive client data
We are developing a web application that will deal with highly sensitive (financial) data of clients (audience is medium to large sized businesses). Clients will be under scrutiny from regulators & auditors and, as such, we will be too. More importantly to give clients a level of comfort our application and related hosting arrangement should instill a lot of confidence with them.
We are looking into using a cloud based service like Linode. To allow for maximum flexibility We are keen on putting everything on virtual servers and avoiding having to buy our own hardware.
Does a cloud based service make sense for our particular scenario? If not what type of hosting should we consider? If so what should we look out for?
You don't own/control ANY of the routers, firewalls, vLAN switches, Servers, Virtual Machine OS, nor do you have ANY control over the Host OS or the Guest OS's or how they're setup or maintained, nor do you have ANY control over the virtual neighbors, what they're doing, how they're isolated from you, what their traffic will be, etc etc etc.
Also since you don't own the boxes, you have NO control over legal side of things. Can ANY so called law enforcement person walk in with a note scribbled on a post-it note get access or even take the boxes - or will the data center actually protect your rights and demand a full blown warrant and or subpoena?
So all though VM's might be the latest and greatest TECHNOLOGY since 3.5" floppies - it's certainly not a tried and true solution that has all the security issues hammered out AND tested/proven in the real world.
Best bet for REAL security. Rent secure cages in a data center. Install your own firewall, your own router, your own vLAN/layer 3 switches, and your servers. Then control who can touch them, and how they're configured. Setup your own boxes, and if you (and your lawyers) are happy with current VM isolation, then run your own VM servers - if not keep them dedicated. Lock your cage, and sleep with one eye open watching the key.
It's not cheap, but it is secure.
Well, cloud computing and bullet proof secure are seldom mentioned in the same breath.
@Vonskippy, I agree with you 'the more control over hardware and software the better' but precisely today
the Recovery Accountability and Transparency Board announced that it is moving Recovery.gov to the cloud .
So cloud computing and bullet proof secure are closer than you think.
You're comparing apples to fish.
If you can't control physical access to the servers, you can never guarantee the integrity of the data.
While I trust Linode, I'll never use them to create a credit card processing company for example. Rent space in a datacenter and secure your cage with an alarm and security camera(s).