[lug] cloud recommendation

Chris McDermott csmcdermott at gmail.com
Fri Oct 29 15:10:57 MDT 2010

On Fri, Oct 29, 2010 at 2:54 PM, Paul Nowosielski <paulnowosielski at yahoo.com
> wrote:

> The data I'm dealing with is rather sensitive as well. Do you
> feel there are any security implications using these cloud services?

Absolutely.  First of all, you don't have physical control of the
infrastructure, and  you have no idea where the datacenters are located and
no right to inspect or audit them.  As Trent said during his presentation,
that rules out certain classes of data such as PHI (HIPAA requirements).
PCI compliance might also be a stretch, if you're dealing with credit
cards.  Basically, look *very* carefully through whatever standards and
regulations you need to comply with before putting that data up there.
Secondly, even if there are no regulatory reasons to worry, you will be
transferring your data across the internet and that's always cause for
concern.  Make sure you're encrypting credentials everywhere, and I
recommend requiring SSH RSA or DSA keys for logging in remotely.  If you're
setting up database replication, make sure to encrypt that traffic - either
with SSL or by sending it over a VPN.  Ditto for rync.  Finally, you also
want to make sure that the server you create in the cloud is secure.  Your
data will be at risk if the server is compromised too.  If you don't have a
standard linux hardening procedure, check out the checklists from CIS as a
starting point.  There are also some good guides on the interwebs for
security in the cloud.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20101029/2f7c842b/attachment.html>

More information about the LUG mailing list