

Data protection - CaseyM

We're working to release an online directory service for clubs/organizations.  Seeing as how our application is all about managing personal data (photos, names, addresses, phone numbers, birthdays, etc.), I have two data protection questions for the HN community.<p>1) How does the security of application hosting services (e.g., Pagoda Box, Heroku) compare to the security of virtual machine hosting services (e.g., Amazon Web Services, Linode)?  With virtuals machines, we may be on shared hardware, but we're running an operating system managed by our own team (e.g., minimal account access, restricted firewalls, up to date patches).  With application hosting services, I'm not sure how much security, or even between-account application and database separation, to expect.<p>2) I've read through several of the HN discussions around data protection and compliance.  I've also read about data protection requirements for consumer marketing data, financial transaction data, and health services data.  Since we're not storing consumer marketing data, financial data, or health services data, which of the other standards out there would apply to an online directory service?  Do we just err on the side of "the more secure, the better," and choose PCI or HIPAA compliance?<p>Thank you!
======
hrbrmstr
For #1, I would suggest that your application/API will be the weaker link in
the security/privacy chain. While it's possible that you could have Heroku or
EC2 admins do "bad things" or have "unruly neighbors", it's far more likely
you'll introduce flaws via insecure coding practices or by using insecure
libraries. If you rely on solid data encryption (at rest and in transit)
practices and make the effort to secure credentials properly, you should be
fine in either setup. I'd make the dedicated VPS vs "cloud" setup based upon
need for scalability/etc vs security. You should be able to secure a "cloud"
config to your needs.

For #2 – since it seems you're in more a 'privacy' realm than a 'compliance'
realm, it may be worth the time to peruse the White House's framework –
[http://www.whitehouse.gov/sites/default/files/privacy-
final....](http://www.whitehouse.gov/sites/default/files/privacy-final.pdf) –
from this past Feb (which has links/refs/comparisons-across privacy standards)
and then the CSA's Cloud Controls Matrix :
<https://cloudsecurityalliance.org/research/ccm/> : or the whole CSA GRC stack
: <https://cloudsecurityalliance.org/research/grc-stack/> : which should help
you assess which provider/service is right.

The prescriptive controls in PCI can help you design your data access &
handling strategy, but you have to remember that PCI is highly focused on
protecting a sixteen digit number and you'll need to determine what your
critical data components are from a privacy perspective to effectively map
against PCI or other control frameworks.

