CIO - If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your dataAAand you aren't following best practices by encrypting that dataAyou may be inadvertently exposing it.
Last year, information security consultancy Context Information Security was tasked by a number of its clients, mostly banks and other high-end clients with serious security concerns, to determine whether the cloud was safe enough for their computing needs.
Context studied four providers: Amazon, Rackspace, VPS.net and GigeNET Cloud. And in two of the four providersAand potentially many othersAit found a security vulnerability that allowed it to access remnant data left by other customers.
"We were looking at the unallocated portions of the disk," says Michael Jordan, manager of research and development at Context. "We were able to look through it and started to see there was data in there. That data was hard disk data and it wasn't our hard disk data."
Data Remnants Included Personally Identifiable Information
The data Jordan and his team discovered included some personally identifiable information, including parts of customer databases and elements of system information, such as Linux shadow files (containing the system's password hashes).
Jordan notes that the information wouldn't be evident to the typical user of cloud servers and would have to be sought. Moreover, he adds, the remnant data was randomly distributed and would not allow a malicious user to target a specific customer. But a malicious user who discovers it could harvest whatever unencrypted data it does contain.
"After examining a brand new provisioned disk on one of the providers, some interesting and unexpected content was discovered," Jordan and James Forshaw, principal consultant at Context, wrote in a blog post about their discovery. "There were references to an install of WordPress and a MySQL configuration, even though the virtual server had neither installed.
Expecting it to be perhaps just a 'dirty' OS image, a second virtual server was created and tested in the same way. Surprisingly, the data was completely different, in this case exposing fragments of a Website's customer database and of Apache logs which identified the server the data was coming from. This confirmed the data was not from our provisioned server."
Incorrectly Configured Hypervisors to Blame
The issue, Jordan says, was with the way the providers provisioned new virtual servers and how they allocated new storage space. On the front end, when clients create new virtual servers, they use the provider's website to select the operating system and amount of storage they require.
On the backend, the provider gathers disk space to contain the virtual image and then overwrites the start of the disk with a preconfigured OS image.
- Trends in Pop-up Retail: Innovative Merchandising Driven by Flexible, Dependable Mobile Connectivity This paper outlines the challenges and obstacles to successful implementation, and discusses existing, rapid-deployment solutions for connecting pop-up locations with mission-critical retail applications...
- Evaluating File Sync and Share Solutions: 12 Questions to Ask about Security File sync and share can increase productivity, but how do you pick a solution that works for you? Download to learn some important...
- What is this "File Sync" Thing and Why Should I Care About It? All of a sudden, getting a file from your work laptop to your iPad became as simple as clicking "Save." So it's no...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- IBM Global SaaS Study Video This video introduces the IBM Global SaaS study conducted by the Center for Applied Insights. The study reveals how companies are using Software...
- Brunswick Moves Messaging and Collaboration to the IBM cloud Gerry Orten, Jr, Electronic Messaging Manager at Brunswick talks about why Brunswick moved to the IBM cloud. All Cloud Computing White Papers | Webcasts