5

I am trying to make a judgement call on a cloud provider's security. This is what I know :

Provider A - PRGMR.COM (not very well known but competent and reliable)

  • Is very transparent - seeks feedback, honest about downtime, etc (a great plus in my experience)
  • provides out of band access via ssh (ssh-keys used for authentication, compromise of other users' keys doesn't necessarily mean compromise of system)
  • Uses open source software (Xen hypervisor)
  • located in the US

Provider B - Amazon EC2 (a very well known cloud provider)

  • Has obtained PCI level 1 certification
  • located in the US

What is the probability / risk associated with the provider's out of band console / infrastructure being compromised (which is more likely - amazon's infrastructure compromise or compromise of sshd on the Xen hypervisor aka provider B)

I will be contacting provider A to ask about their physical security measures...

On paper Amazon looks better than A but should transparency & honesty trump a PCI certification and popularity?

Improve this question
3
  • 1
    By not disclosing the smaller player, I feel you are biasing any answers you'll get since you'll end up with one-sided "comparisons" b/w a well-known, highly documented market-maker and an unknown.
    – logicalscope
    Commented Mar 21, 2012 at 16:38
  • it is prgmr.com
    – Hilton D
    Commented Mar 22, 2012 at 4:17
  • In principle, I would say never rule out the startup / niche players. It is possible for a small, targeted startup to offer security as a differentiator, even without the "compliance" aspect (if you dont need it, compliance and security are not identical). such a player could definitely be interesting, though I don't think that the one you mentioned is trying to offer high security as an added value.
    – AviD
    Commented Mar 22, 2012 at 9:52

3 Answers 3

Reset to default
5

This may sound a bit of a cop-out, but at the end of the day it is down to what assurances you need from the provider so you should ask both of them the same questions - and these should be specifically on what you need to feel confidence that using the provider doesn't expose you to more risk than you can accept.

Have a look at this question about EC2 security for a bit of info.

Some more:

  • Amazon provide services to major corporates so have a vested interest in physical datacentre security - whether you can rely on this is up to you. Odds of you getting a guided tour are pretty slim.

  • Similarly, they aren't that transparent about a lot of their security features, but they do have a lot to lose and decent security budget so have put in place the features they feel are appropriate for their customers.

  • If you need a PCI certified provider (no matter what they are worth in the real world) then Amazon will fit the bill. If you don't need that, then you can ignore that feature as almost irrelevant - just accept that it means they have shown protection of account data sufficient to pass PCI-DSS.

  • Cloud services involve divesting some control around security and availability. If you have a critical uptime requirement or need to be able to carry out on the spot checking of hardware, the cloud may not be for you.

Improve this answer
2
  • Just to add to Rory's second and fourth bullet points: Amazon knows that security is the number one thing people fear about the cloud. Customers fear breach of confidentiality and lack of availability. Whenever anything happens to the big cloud providers, it makes the news. Therefore, it is in Amazon's (well, any cloud provider's) best interest to make an effort. Bigger budgets will generally produce better results.
    – logicalscope
    Commented Mar 21, 2012 at 16:41
  • Couldn't it also mean that if there was a breach they would do their best to limit damage by doctoring the details to suit themselves?
    – Hilton D
    Commented Mar 22, 2012 at 4:17
1

It does depend on your requirements [confidentiality, integrity, availability] however two great general resources I've found useful are:

Improve this answer
1

You should look at what the Cloud Security Alliance is doing including a register of cloud providers who have self attested to their security which is a step in the right direction. https://cloudsecurityalliance.org/

Even better you should be asking for a 3rd party assurance report such as ISAE3402 or a SOC 2 report which will have been done by an independent 3rd party.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .