I mean, this is dangerously close to descending into ridiculous "who's the better techie" arguments, but there's a lot of factors to consider:
- Physical security of the machine
- Access to hardware
- Resource isolation
- Network monitoring and security
- OS-level security
A physical server colocated offers up:
- generally poor physical security, until the point at which you can justify your own floor of a facility or your own facility. Cabinet locks are junk, raised floors are tailor made to be crawled under, social engineering can usually let you talk your way into a datacenter
- Really good access to hardware - so you can control your components, that's a plus for certain applications.
- Resource isolation - don't have to worry about anything else sharing hardware, that's a plus
- Network monitoring - generally terrible at colocated environments, unless you're going to set up your own hardware firewalls, IDS, and so on. Most firewalling will be applied at an OS level.
- OS-level security - this is what you make of it. Do you apply OS updates religiously? Manage your firewall rules like an expert (i.e. without breaking useful things like PMTU)?
An Amazon EC2 instance (or Linode, digital ocean, etc.) offers up:
- much better physical security. They have a lot to lose if someone gets physical access to their machines, and are at the scale where they have security measures in place. Plus, there's the challenge of even knowing which physical machine you're on
- Lousy access to hardware
- Lousy resource isolation, though the question is more about how much you trust technologies like Xen and KVM
- Network monitoring - vastly superior to a coloed machine, and it comes along for free
- OS-level security - external firewall rules are much better than OS-level, ability to snap-back my machine to a snapshot means that I can remove the risk of trojans stored locally, and I can still apply OS-level updates.
Again, it's about your fear. Personally, I believe that an Amazon ec2 instance, one of literally millions, with the ability to roll back the entire OS to a known good state at any time, external firewall rules, outstanding physical security, with strong passwords is going to be way more secure than a standalone box wired into a rack in some random datacenter.
Matt