Which is safer: University IT or cloud-based contact hosting?
October 20, 2011 4:10 AM Subscribe
Which hosted system is likely to be more secure: A custom-coded database with a web-based front-end coded by an independent coder for $10k and hosted and maintained by a major university, or a small cloud-based provider with several clients who hosts contact data and whose system is set up to accept credit card payments and store other financial information?
I realize that the real answer is likely to be that individual coding practices and security assessments vary depending on the individuals involved, and that answering this in the abstract is somewhat of an academic exercise. And to be really sure, you would need to code audits and penetration testing.
In the contemplated scenario, we would be collecting and hosting HIPAA-protected personal data for research purposes. Solution #1 is an out-of-the-box, cloud-based solution used by many nonprofits for managing their contact lists and tracking and processing donations. Solution #1 accepts credit card donations online and stores some of this information, so it is presumably PCI DSS compliant (we are verfiying). They have numerous clients and are fairly well-known in the nonprofit space.
Solution #2 is a custom-built SQL database, which we have a bid for $10k by a solo developer. The system would be hosted by a major university, but it is unclear to me what type of code review the Unversity's internal IT protocols require before running the custom-coded app. The University's research systems and existing servers are HIPAA HITECH compliant. Presumably as part of the hosting the University would patch the servers, but we'd have to pay separately for maintenance of the custom code.
My gut reaction was that the commercial shop (which is presumably PCI DSS compliant) is inherently more secure than the independent coder, because the University would be maintaining and hosting someone else's code and that the commercial shop is more likely to spot vulnerabilities in their own code base.
But when I was trying to explain my position to laypeople with no experience with security issues, they thought I was crazy and asserted that a University-vetted and maintained system would be inherently more secure than a commercial setup, because the University, by the nature of its business, had more experience with security.
Am I right? What other security issues should I be aware of?