Is Your Cloud Provider Exposing Remnants of Your Data?By on May 16, 2012
Thor Olavsrud CIO.com
Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for CIO.com.
If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your data and you aren't following best practices by encrypting that data you may be inadvertently exposing it.
Last year, information security consultancy Context Information Security was tasked by a number of its clients, mostly banks and other high-end clients with serious security concerns, to determine whether the cloud was safe enough for their computing needs.
Context studied four providers: Amazon, Rackspace, VPS.net and GigeNET Cloud. And in two of the four provider and potentially many othersit found a security vulnerability that allowed it to access remnant data left by other customers.
"We were looking at the unallocated portions of the disk," says Michael Jordan, manager of research and development at Context. "We were able to look through it and started to see there was data in there. That data was hard disk data and it wasn't our hard disk data."
Data Remnants Included Personally Identifiable Information
The data Jordan and his team discovered included some personally identifiable information, including parts of customer databases and elements of system information, such as Linux shadow files (containing the system's password hashes).
Jordan notes that the information wouldn't be evident to the typical user of cloud servers and would have to be sought. Moreover, he adds, the remnant data was randomly distributed and would not allow a malicious user to target a specific customer. But a malicious user who discovers it could harvest whatever unencrypted data it does contain.
"After examining a brand new provisioned disk on one of the providers, some interesting and unexpected content was discovered," Jordan and James Forshaw, principal consultant at Context, wrote in a blog post about their discovery. "There were references to an install of WordPress and a MySQL configuration, even though the virtual server had neither installed.
Expecting it to be perhaps just a 'dirty' OS image, a second virtual server was created and tested in the same way. Surprisingly, the data was completely different, in this case exposing fragments of a Website's customer database and of Apache logs which identified the server the data was coming from. This confirmed the data was not from our provisioned server."
Incorrectly Configured Hypervisors to Blame
The issue, Jordan says, was with the way the providers provisioned new virtual servers and how they allocated new storage space. On the front end, when clients create new virtual servers, they use the provider's website to select the operating system and amount of storage they require.
On the backend, the provider gathers disk space to contain the virtual image and then overwrites the start of the disk with a preconfigured OS image.
"This means that only the start of the disk is filled with initialized data, as the rest of the disk would never be explicitly written to during provisioning," Jordan and Forshaw wrote. "If this allocation was being performed using the hosting operating system's file APIs, this would not normally be a problem. The OS would ensure that any uninitialized data was automatically zeroed before being returned to a user application (or in this case the virtual machine). Clearly in this case it was not using these mechanisms."
Jordan notes that because the problem lies with the method of configuring hypervisors, it could potentially affect managed hosting providers as well as cloud service providers.
Both providers that exhibited the vulnerability Rackspace and VPS.net have since reported that they have patched the vulnerability. Rackspace reportedly worked closely with Context to address the issue, inviting Context researchers to its headquarters and providing access to its engineers, executives and processes. VPS.net uses technology from OnApp, also used by at least 250 other cloud service providers. VPS.net told Context that it rolled out a patch that fixed the issue.
Jordan notes that this issue should not stop companies from using IaaS if there's a strong business need for it. But he does recommend that customers follow best practices when leveraging the cloud.
"If you are a new customer, you have options," he says. "You can ensure your data is encrypted when it's on the hard disk. That way if someone does get access to a portion of a disk, they'll only see encrypted data."
Jordan also recommends asking your provider lots of questions about their processes, including how hypervisors are provisioned and deprovisioned. Additionally, he notes that it is the client's responsibility to harden virtual servers provided by the service provider, and that includes checking out any backdoors providers use to manage the server.
Price cuts from Amazon, Google and Microsoft support predictions that the public cloud computing market is a race to the bottom -- for pricing, that is. Customers will no doubt benefit, but cloud providers who aren't one of those three companies should be prepared for a long, hard war of attrition.Bernard Golden
Fact is that growth is directly related to the size of the field you are playing in; to resource pipeline that you can tap into.Vijay Ramachandran
With its Enterprise Mobility Suite, Microsoft will make it easier for companies to manage a range of devices, including those running Apple's iOS and Google's Android. It's a smart move, says columnist Ryan Faas.Ryan Faas
While it's true that many of the changes announced under the leadership of CEO Satya Nadella were initiated under his predecessor, Steve Ballmer, it's still clear that this isn't the same old companyMike Elgan
The technology and the associated demand landscape changes so often that it becomes problematic to project revenue numbers or profit margins twelve months in advance.Yogesh Gupta