[bigiain]

"it's hard to imagine a court finding it unreasonable that someone placed data worth $13,000 to them on a respected VPS provider."

Really? (I'm reading that as saying you think it _is_ a reasonable thing to store $13k worth of effectively-cash-value in a $19.95/month vps account?)

Does anyone know what regulations like HIPPA or PCI have to say about the security of data stored on managed-by-3rd-party servers like VPSs?

[orofino]

IANAL (or QSA)

PCI doesn't specifically say anything about usage of a VPS. It does however speak about access to data.

If you have encrypted credit card information, you'll be asked to list those that have access to the encrypted information, they encryption key, and the key encrypting key. Then you'll be asked to justify their access.

I'm sure I could come up with with several other major violations, but this alone is severe enough that I can't envision a way that you'd pass a PCI audit.

[nknight]

First of all, yes, I think it's reasonable.

Second, where are you getting $19.95/month from, anyway? I haven't seen the plan in question mentioned, and even if this particular VPS happened to be Linode's lowest-end, the last time I looked (a while back, granted), slush had multiple large VPSs with Linode.

Third, really, what does the price of the VPS have to do with it? You think as the cost of the VPS goes down, we're entitled to less assurance that an employee isn't going to bolt with our data?

Finally, HIPAA and PCI regulations are ginormously complex, but violations of them almost inevitably cost a hell of a lot more than $13k.

[bigiain]

Interesting.

I'll freely admit I've only been thinking about this since reading this article, so I'm both not-fully-informed and I'm thinking about it as a response to some guy losing ~$13k, but to me it's _not_ reasonable.

(And my $19.95 number is perhaps hyperbolically chosen from their least expensive vps offering - but my assumption would be that the management/hypervisor back end would be shared across their entire infrastructure, so I think my argument holds, in that I'd expect the higher priced offerings to "only" have the employee-reliability-assurance of the cheapest vps…)

[nknight]

Why are you looking at it as "X has the same assurance as Y" instead of "Y has the same assurance as X"?

If you've got a vault that holds a massive diamond, and a little gold ring, do you become concerned because the diamond "only" has the protection of a little gold ring?

[larrys]

Linode plans (like those of other hosting/vps providers) are differentiated on storage/memory/bandwidth. Security isn't a factor. Compare that to an auto where "security" is definitely mentioned and part of the selling proposition and what you pay (they mention theft devices, crash stuff, airbags etc.)