Are services like AWS secure enough for an organization that is highly responsible for it's clients privacy?

Question

Okay, so we have to store our clients` private medical records online and also the web site will have a lot of requests, so we have to use some scaling solutions.
We can have our own share of a datacenter and run something like Zend Server Cluster Manager on it, but services like Amazon EC2 look a lot easier to manage, and they are incredibly cheaper too. We just don't know if they are secure enough!

Are they?
Any better solutions?

More info: I know that there is a reference server and it's highly secured and without it, even the decrypted data on the cloud server would be useless. It would be a bunch of meaningless numbers that aren't even linked to each other.

Making the question more clear: Are there any secure storage and process service providers that guarantee there won't be leaks from their side?

Answer 1

You should never outsource highly sensitive data. Your company and only your company should have access to it - in both software and hardware terms. Even if your hoster is generally trusted someone there might just steal hardware.
Depending on the size of your company you should have your custom servers - preferable even unaccessible for the technicans in your datacenter (supposing you don't own the datacenter ;).
So the more important the data is, the less foreign people should have access to it in any means. In the best case you can name all people that have access to them in any way.
(Update: This might not apply to anonymous data, but as you're speaking of customers I don't think that applies here?) (On a third thought: There're are probably laws to take into consideration of how you have to handle that kind of information ;)

Answer 2

I've got a blog post that covers a large amount of what you need to know: http://blog.labslice.com/2010/09/is-cloud-insecure_2947.html

I think it's fair to say that there's going to be a lot of serious security work involved for your type of scenario (if it's a good idea in the first place).

Answer 3

First off, you should contact AWS and explain what you're trying to build and the kind of data you deal with. As far as I remember, they have regulations in place to accommodate most if not all the privacy concerns.

E.g., in Germany such thing is a called a "Auftragsdatenvereinbarung". I have no idea how this relates and translates to other countries. AWS offers this.

But no matter if you go with AWS or another cloud computing service, the issue stays the same. And therefor, whatever is possible is probably best answered by a lawyer and based on the hopefully well educated (and expensive) recommendation, I'd go cloud shopping, or maybe not. If you're in the EU, there are a ton of regulations especially in regards to medical records -- some countries add more to it.

From what I remember it's basically required to have end to end encryption when you deal with these things.

Last but not least security also depends on the setup and the application, etc..

For complete and full security, I'd recommend a system that is not connected to the Internet. All others can fail.