Are hosted bare-metal servers more secure than VPS against unauthorized disclosure?
Our small company needs to store sensitive data in the cloud. We are debating VPS's or rented bare-metal servers due to cost. Our threat model includes malicious sysadmins working at the hosting provider and this is what we are focusing on, not side-channel attacks from other customers on the VPS etc. Our policies require FDE using LUKS and we have tested unlocking the disks with both Linode and bare-metal servers using dropbear.
We know that neither solution is secure against a determined and well-resourced attacker. We know that FDE was not designed as a logical control to protect against unauthorized disclosure on a running system. However we need to assess the degree of increased risk when using a VPS.
Pro-bare-metal team argue malicious sysadmins can more easily access VM from host OS and therefor bare-metal protects against less capable sysadmins. This could enable them dump memory and access sensitive data. Or for example replace dropbear with malicious version on unencrypted boot partition.
The pro-VPS team argue that all of the above is equally possible with a dedicated server and since sysadmin has access to hardware its game over anyway. They agree it would likely require malicious actor to have more skill/time with higher chance of being detected. e.g. they may have to reboot server to implant payload.
Both teams agree that probability of attack from capable malicious sysadmin is low and therefor the risk of unauthorized disclosure for the VPS is medium and dedicated is low. Due to the massive cost savings the business are keen to accept the risk and go with VPS.
I feel this could be missing whole classes of attack vectors and so I'd like to ask the community what we could be missing?
Our threat model includes malicious sysadmins working at the hosting provider and this is what we are focusing on ...
If this is truly your primary threat concern, then Virtual vs Physical is a false dichotomy. Nothing short of physically hosting and protecting it yourself is going to address that threat.
FDE protects dead, as in non-running, systems not running systems. Servers in particular need the ability to restart. This means either manual intervention or stored keys at the server. This requires a trusted admin, which is counter to your primary concern.
You mentioned cost as the driver to a hosted system. If cost is overiding trust, your best bet is to use what you believe to be the most trusted provider. Many companies and organizations already do this, but you have to make the decision as to which is more important.
You simply are not going to be able to have a secure untrusted provider.,