Data protection

2 points by CaseyM ↗ HN
We're working to release an online directory service for clubs/organizations. Seeing as how our application is all about managing personal data (photos, names, addresses, phone numbers, birthdays, etc.), I have two data protection questions for the HN community.

1) How does the security of application hosting services (e.g., Pagoda Box, Heroku) compare to the security of virtual machine hosting services (e.g., Amazon Web Services, Linode)? With virtuals machines, we may be on shared hardware, but we're running an operating system managed by our own team (e.g., minimal account access, restricted firewalls, up to date patches). With application hosting services, I'm not sure how much security, or even between-account application and database separation, to expect.

2) I've read through several of the HN discussions around data protection and compliance. I've also read about data protection requirements for consumer marketing data, financial transaction data, and health services data. Since we're not storing consumer marketing data, financial data, or health services data, which of the other standards out there would apply to an online directory service? Do we just err on the side of "the more secure, the better," and choose PCI or HIPAA compliance?

Thank you!

1 comment

[ 2.2 ms ] story [ 9.6 ms ] thread
For #1, I would suggest that your application/API will be the weaker link in the security/privacy chain. While it's possible that you could have Heroku or EC2 admins do "bad things" or have "unruly neighbors", it's far more likely you'll introduce flaws via insecure coding practices or by using insecure libraries. If you rely on solid data encryption (at rest and in transit) practices and make the effort to secure credentials properly, you should be fine in either setup. I'd make the dedicated VPS vs "cloud" setup based upon need for scalability/etc vs security. You should be able to secure a "cloud" config to your needs.

For #2 – since it seems you're in more a 'privacy' realm than a 'compliance' realm, it may be worth the time to peruse the White House's framework – http://www.whitehouse.gov/sites/default/files/privacy-final.... – from this past Feb (which has links/refs/comparisons-across privacy standards) and then the CSA's Cloud Controls Matrix : https://cloudsecurityalliance.org/research/ccm/ : or the whole CSA GRC stack : https://cloudsecurityalliance.org/research/grc-stack/ : which should help you assess which provider/service is right.

The prescriptive controls in PCI can help you design your data access & handling strategy, but you have to remember that PCI is highly focused on protecting a sixteen digit number and you'll need to determine what your critical data components are from a privacy perspective to effectively map against PCI or other control frameworks.