CIO - If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your dataAAand you aren't following best practices by encrypting that dataAyou may be inadvertently exposing it.
Last year, information security consultancy Context Information Security was tasked by a number of its clients, mostly banks and other high-end clients with serious security concerns, to determine whether the cloud was safe enough for their computing needs.
Context studied four providers: Amazon, Rackspace, VPS.net and GigeNET Cloud. And in two of the four providersAand potentially many othersAit found a security vulnerability that allowed it to access remnant data left by other customers.
"We were looking at the unallocated portions of the disk," says Michael Jordan, manager of research and development at Context. "We were able to look through it and started to see there was data in there. That data was hard disk data and it wasn't our hard disk data."
Data Remnants Included Personally Identifiable Information
The data Jordan and his team discovered included some personally identifiable information, including parts of customer databases and elements of system information, such as Linux shadow files (containing the system's password hashes).
Jordan notes that the information wouldn't be evident to the typical user of cloud servers and would have to be sought. Moreover, he adds, the remnant data was randomly distributed and would not allow a malicious user to target a specific customer. But a malicious user who discovers it could harvest whatever unencrypted data it does contain.
"After examining a brand new provisioned disk on one of the providers, some interesting and unexpected content was discovered," Jordan and James Forshaw, principal consultant at Context, wrote in a blog post about their discovery. "There were references to an install of WordPress and a MySQL configuration, even though the virtual server had neither installed.
Expecting it to be perhaps just a 'dirty' OS image, a second virtual server was created and tested in the same way. Surprisingly, the data was completely different, in this case exposing fragments of a Website's customer database and of Apache logs which identified the server the data was coming from. This confirmed the data was not from our provisioned server."
Incorrectly Configured Hypervisors to Blame
The issue, Jordan says, was with the way the providers provisioned new virtual servers and how they allocated new storage space. On the front end, when clients create new virtual servers, they use the provider's website to select the operating system and amount of storage they require.
On the backend, the provider gathers disk space to contain the virtual image and then overwrites the start of the disk with a preconfigured OS image.
- IDC: Eliminate Shortcomings in Your Cloud Architecture with Smarter Storage This white paper demonstrates how IBM Smarter Storage provides customers with an ideal, proven platform for cloud computing. IBM has a differentiated storage...
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Managed Private Cloud Protect and manage your entire enterprise continuously with Code42's simple, efficient Managed Private Cloud. Simply plug it in and rely on our data...
- Enterprise Cloud Deployment Strategies A powerful and highly flexible solution, CrashPlan lets organizations select their preferred cloud deployment strategy, resting assured all strategies meet or exceed rigorous...
- Video surveillance for IT: maximum image quality, minimum bandwidth Join us on Thursday, May 8th at 1 p.m. EST when Willem Ryan, Senior Product Marketing Manager at Avigilon, will discuss how IT...
- Leveraging the Cloud for Dev/Test This video discusses some of the key considerations that IT organizations should take into account when moving test and development projects to the... All Cloud Computing White Papers | Webcasts