I am trying to make a judgement call on a cloud provider's security. This is what I know :
Provider A - PRGMR.COM (not very well known but competent and reliable)
- Is very transparent - seeks feedback, honest about downtime, etc (a great plus in my experience)
- provides out of band access via ssh (ssh-keys used for authentication, compromise of other users' keys doesn't necessarily mean compromise of system)
- Uses open source software (Xen hypervisor)
- located in the US
Provider B - Amazon EC2 (a very well known cloud provider)
- Has obtained PCI level 1 certification
- located in the US
What is the probability / risk associated with the provider's out of band console / infrastructure being compromised (which is more likely - amazon's infrastructure compromise or compromise of sshd on the Xen hypervisor aka provider B)
I will be contacting provider A to ask about their physical security measures...
On paper Amazon looks better than A but should transparency & honesty trump a PCI certification and popularity?