Dirty Disks and Cloud Security
I expect to see more cloud security articles in the near future, and this one really does a good job highlighting exactly some of the things that end users need worry about.
Most IaaS cloud vendors rely on best practices and security baked into their software to provide the security to their end clients, but with certain internally used bits of source, like was the case with VPS.NET and Rackspace, the potential for security errors creep up.
Case in point, the issue here was with regards to reusing hard disk space after it was relinquished by a customer. In the IaaS world, resources are reused once they are terminated by a user. This reuse includes hard disk space for storage of files – the data that was previously stored on the drive by an old customer is deleted before being presented as blank space to another customer.
However, as these researchers found, a method for thoroughly destroying the data was not completely employed, and bits and pieces of file data were preserved between customer use. This means that any data potentially stored on disk could have been leaked to another customer, if the other customer had known where to look.
This is very bad, but not surprising. Low level details like this are easy to overlook, and until someone finds them out and points it out to a provider, they may be blissfully unaware of its existence.
This isn’t a unique problem to these two vendors. Folks like Amazon, who have a pretty good history of security, are just as vulnerable. Perhaps not on this specific issue, but others. In fact, one of the biggest vulnerabilities is the ever changing code behind the scenes that the end user is not aware of. Amazon in particular is constantly adding new features, releasing new internal versions of their Cloud software and deploying it strategically – all out of view of the end user. However, due to the constant changing state of the code, new vectors for exploitation are always a possibility. Even security holes that didn’t exist a few days ago could potentially open up as a result of a misstep by an Amazon engineer.
The bottom line is cloud security must be taken very seriously. While there is a certain level of trust that must be accepted, going the extra mile with internal security practices to ensure that data can’t be leaked is a prudent decision for any organization utilizing the cloud.
Data Cave is a privately owned and operated Tier IV data center located in Columbus, Indiana convenient to Indianapolis, Louisville and Cincinnati. Please contact us for more information at 866-514-2283.