Business networking site LinkedIn suffered a security breach in June that resulted in the theft of more than 6 million user account passwords, which were subsequently published online. Although the company says there were no reports of compromised accounts, the incident garnered headlines about the risks of the cloud.
And in April 2011, a server breach at email marketing company Epsilon Interactive exposed the names and email addresses of millions of people. The company said unknown intruders broke into one of its email servers and accessed the names and email accounts of some of its 2,500 corporate customers.
As these incidents show, the cloud is still very much a work in progress when it comes to security. Although many cloud service providers claim they can secure their customers' data, security problems are surfacing as the technology takes hold at more organizations.
"More and more businesses are pushing information and services out to the cloud every day. Many are doing so without the slightest knowledge of what risks are lying in wait for them once they leave the sanctity of the existing data center," says Mark Gilmore, president and co-founder of Wired Integrations, a technology consulting firm in San Jose.
There are several areas in which the cloud has security issues, says Dave Shackleford, a cloud security expert and certified instructor at the SANS Institute, a cooperative research and education organization in Bethesda, Md. "Most fundamentally come down to either application security or virtualization-specific issues," he says.
Threats to cloud-based systems include so-called hypervisor escape, or "virtual machine escape" exploits. "There have been several recent vulnerabilities announced that could potentially lead to attackers executing code from a malicious VM and affecting the underlying virtualization platform at a cloud provider," Shackleford says.
One in particular affects a number of 64-bit platforms, as outlined by the U.S. Computer Emergency Readiness Team. In June 2012, US-CERT reported that some 64-bit operating systems and virtualization programs running on Intel CPU hardware are vulnerable to a local privilege escalation attack. Privilege escalation involves exploiting a design flaw or configuration oversight in an operating system or application to gain elevated access to information resources that are normally protected from an application or user.
An attacker might exploit the vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape, the report says. The solution is to apply vendor-specific patches for the operating system or virtualization software.
The Risks Examined
Another category of vulnerabilities relates to data storage and access failures, Shackleford says. Cloud providers will invariably leverage large-scale shared storage environments such as a storage area network or network-attached storage, he says.
"There are many configuration issues that could lead to illicit storage access, but new research into VMware virtual disks shows that an attacker could potentially create a virtual machine with a crafted virtual disk file that grants access to other parts of the storage environment," Shackleford says. Other examples of new threats that cloud environments face, he says, include denial-of-service attacks from systems in the cloud and cloud providers that are inadvertently hosting malicious botnet controllers.