I always thought they were a reputable company. Until I had to deal with them.
Working in healthcare, we have very specific requirements and regulations to abide by. While Rackspace claim to be HIPAA, their actions peak louder than words. Here‘s a rough list of requirements. Let’s take a look at how bad things are and how incompetent they really are.
A little backstory is required. Our customer rents at Rackspace. They deliver servers with antivirus, monitoring tools (theirs), and a user account for them. After multiple requests to deliver a minimal-install CentOS server, they claim it’s impossible “since they use kickstart files”. Right off the bat, you can see how incompetent they are. Who made their kickstart file? did they get it on the net? It takes literally 3 minutes to update a kickstart file to remove useless packages. This was denied multiple times. Install from the CD? Denied also. They insist on delivering a server that, right off the bat, fails all HIPAA checks. Yet they argue they’re compliant.
So first, let’s take a look at #3 of the rough list of requirements.
Policies developed to control access to physical buildings and electronic systems containing PHI (protected health information)
We clearly have our own policies, as we’re the ones installing the software and maintaining it. But right off the bat, Rackspace breaks this by creating users on the system. “Required users for our systems” they claim. This breaks HIPAA certification. Of course, we’ll delete the user; but that’s besides the point. They refuse to provide a clean system.
On to #4.
Guidelines for how data is stored, transferred, trashed, and reimplemented
Again, they install “their own monitoring system”, which they claim is in all their templates. This is a major issue as this is a third party software we don’t control and we can’t know if it transfers stored data. They claim they don’t, but just the fact that they refuse to deliver a server without it should raise major alarms.
Now obviously, this creates more issues for point #5:
Audits and logs of system use (SSAE 18 and SOC audited infrastructure)
Well the infrastructure audits reveal third party software we don’t control. Hence the audit results are less than perfect and this will need to be corrected.
And again for #6:
Rules for data transmission in all possible scenarios (email, cloud, etc.)
Our rules clearly specify that third party software is only allowed after it was analyzed and audited by our team and certified as safe. Their third party monitor, antivirus and other junk are not.
They also register the servers to their own spacewalk; so now we have unknown packages able to make their way onto the system. Obviously we have to wipe that repo, but what unsafe packages were installed? Well, we’ll have to audit all of them, compare RPM checksum and file checksum. This creates delays and other possible problems for the customer and raises the total bill for them. The more we have to validate the system, the longer it takes.
I won’t go into more details, but it’s clear that Rackspace don’t know what they’re doing. They can’t do a minimal install, instead deliver a polluted system that requires a few days of full time work for every server to be validated as “good” to proceed with the software install. When confronted about it, they refuse to do anything. Instead of having a very simple task done internally and save their customers potentially thousands of dollars, they’re rather make sure they do, in fact, spend money uselessly. Not only is this terrible service, but I’m fairly sure it breaks at least a few HIPAA regulations.