CIO - If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your dataAAand you aren't following best practices by encrypting that dataAyou may be inadvertently exposing it.
Last year, information security consultancy Context Information Security was tasked by a number of its clients, mostly banks and other high-end clients with serious security concerns, to determine whether the cloud was safe enough for their computing needs.
Context studied four providers: Amazon, Rackspace, VPS.net and GigeNET Cloud. And in two of the four providersAand potentially many othersAit found a security vulnerability that allowed it to access remnant data left by other customers.
"We were looking at the unallocated portions of the disk," says Michael Jordan, manager of research and development at Context. "We were able to look through it and started to see there was data in there. That data was hard disk data and it wasn't our hard disk data."
Data Remnants Included Personally Identifiable Information
The data Jordan and his team discovered included some personally identifiable information, including parts of customer databases and elements of system information, such as Linux shadow files (containing the system's password hashes).
Jordan notes that the information wouldn't be evident to the typical user of cloud servers and would have to be sought. Moreover, he adds, the remnant data was randomly distributed and would not allow a malicious user to target a specific customer. But a malicious user who discovers it could harvest whatever unencrypted data it does contain.
"After examining a brand new provisioned disk on one of the providers, some interesting and unexpected content was discovered," Jordan and James Forshaw, principal consultant at Context, wrote in a blog post about their discovery. "There were references to an install of WordPress and a MySQL configuration, even though the virtual server had neither installed.
Expecting it to be perhaps just a 'dirty' OS image, a second virtual server was created and tested in the same way. Surprisingly, the data was completely different, in this case exposing fragments of a Website's customer database and of Apache logs which identified the server the data was coming from. This confirmed the data was not from our provisioned server."
Incorrectly Configured Hypervisors to Blame
The issue, Jordan says, was with the way the providers provisioned new virtual servers and how they allocated new storage space. On the front end, when clients create new virtual servers, they use the provider's website to select the operating system and amount of storage they require.
On the backend, the provider gathers disk space to contain the virtual image and then overwrites the start of the disk with a preconfigured OS image.
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- Simplifying Product Design In A Complex World Product design engineering has moved far beyond the confines of ever-more powerful workstations. Companies can't afford to restrict projects to using only local...
- What is this "File Sync" Thing and Why Should I Care About It? All of a sudden, getting a file from your work laptop to your iPad became as simple as clicking "Save." So it's no...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer...
- ElectricAccelerator: Dramatically Faster Builds and Test ElectricAccelerator dramatically speeds up builds and test by parallelizing jobs across clusters of physical or cloud CPUs. All Cloud Computing White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!