Data protection
1) How does the security of application hosting services (e.g., Pagoda Box, Heroku) compare to the security of virtual machine hosting services (e.g., Amazon Web Services, Linode)? With virtuals machines, we may be on shared hardware, but we're running an operating system managed by our own team (e.g., minimal account access, restricted firewalls, up to date patches). With application hosting services, I'm not sure how much security, or even between-account application and database separation, to expect.
2) I've read through several of the HN discussions around data protection and compliance. I've also read about data protection requirements for consumer marketing data, financial transaction data, and health services data. Since we're not storing consumer marketing data, financial data, or health services data, which of the other standards out there would apply to an online directory service? Do we just err on the side of "the more secure, the better," and choose PCI or HIPAA compliance?
Thank you!
1 comment
[ 2.2 ms ] story [ 9.6 ms ] threadFor #2 – since it seems you're in more a 'privacy' realm than a 'compliance' realm, it may be worth the time to peruse the White House's framework – http://www.whitehouse.gov/sites/default/files/privacy-final.... – from this past Feb (which has links/refs/comparisons-across privacy standards) and then the CSA's Cloud Controls Matrix : https://cloudsecurityalliance.org/research/ccm/ : or the whole CSA GRC stack : https://cloudsecurityalliance.org/research/grc-stack/ : which should help you assess which provider/service is right.
The prescriptive controls in PCI can help you design your data access & handling strategy, but you have to remember that PCI is highly focused on protecting a sixteen digit number and you'll need to determine what your critical data components are from a privacy perspective to effectively map against PCI or other control frameworks.