Dirty Disks May Pose Cloud Security Risk
If you were concerned about the security of your data in the cloud, you may have good reason for concern -- for an entirely new reason.
Context Information Security has found “potentially significant flaws in the implementation of Cloud infrastructure services offered by some providers” that could make its clients’ data vulnerable.
The problem involves “data separation.” Context says its consultants gained access to data that was left behind by other users of the same cloud provider on “dirty disks.” The data included “fragments of customer databases and elements of system information that could, in combination with other data, allow an attacker to take control of other hosted servers.” Context discovered the data accessibility but did not “disclose, use, record, transmit, or store” any of that data.
Among the four providers tested by the consultancy, two (VPS.NET and Rackspace) did not consistently and securely separate virtual servers or nodes “through shared hard disk and network resources.” After informing the providers of the potential security hole, Context confirmed that Rackspace had fixed the vulnerability which was found “among some users of its now-legacy platform for Linux Cloud Servers.” According to Context, Rackspace says “it knows of no instance in which any customer’s data was seen or exploited in any way by any unauthorized party.”
VPS.NET says it installed patch that resolved the security issue, but no details were provided. What’s more troublesome about this provider is that its service is based on OnApp technology, which Context says “is also used by over 250 other cloud providers. OnApp told Context that it now allows customers to opt-in to having their data removed securely, leaving thousands of virtual machines at potential risk. OnApp added that it has not taken measures to clean up remnant data left by providers or customers, on the grounds that not many customers are affected.” Unfortunately, “not many” doesn’t mean every customer is safe.
Context says that its research revealed that “if virtual machines are not sufficiently isolated or a mistake is made somewhere in the provisioning or de-provisioning process, then leakage of data might occur between servers.” A more complete explanation of the exposure, how tests were conducted, and provider responses are described in its blog.
--James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 04/25/2012