Research by Context Information Security, conducted last year and published yesterday, has uncovered data security flaws in the cloud infrastructure services of several providers, including Rackspace and VPS.NET.
The problem lies in data separation between virtual machines using the same storage drives. The vulnerability could give attackers unauthorised access to deleted customer data that is still invisibly present on the drives. The simplest solution is to “zero” format the hard drives after files have been deleted, making the information unrecoverable.
While Rackspace gave Context access to their engineers, executives and processes to fix the vulnerability, VPS.NET says it has resolved the problem on its own own by rolling out a patch.
Context warns that OnApp Cloud solution, on which VPS.NET is based, is used by over 250 cloud providers worldwide, and there could be thousands of virtual machines at potential risk.
Context also tested the cloud market leader Amazon, as well as another provider, Gigenet, and gave them both a clean bill of health over so-called “dirty disks”. However, with servers hosted on Rackspace and VPS.NET, Context managed to gain access to fragments of customer databases and elements of system information that could potentially give an attacker control over hosted servers.
“This does not mean that the Cloud is unsafe and the business benefits remain compelling, but the simplicity of this issue raises important questions about the maturity of Cloud technology and the level of security and testing undertaken in some instances,” he added.
Since March last year, Rackspace has worked closely with Context to identify and fix the potential vulnerability, which was found among some users of its now-legacy platform for Linux Cloud Servers.
The company has long been “zeroing” the disk areas that were occupied by virtual machines, but this operation was not effective in all instances.
“For Rackspace the issue was in their use of Xen Classic in a configuration which was insecure. Other hypervisors could also be configured in this fashion. We tested four providers and two had the issue, so there is a good chance that other providers will have made the same mistake,” a spokesman for Context told TechWeekEurope.
The company later tested Rackspace’s current cloud platform, as well as its new Cloud computing solution based on OpenStack, and has confirmed that the security vulnerability has been resolved. Rackspace has claimed that to date, no customer data was seen or exploited in any way by any unauthorized party.
VPS.NET told Context that it took 15 days to roll out a patch which fixed the issue. However, its service is based on OnApp – a complete Cloud solution, used across the globe by more than 250 providers, and available to buy off-the-shelf.
“OnApp seem to take the view that cost is more important than security,” said a spokesman for Context. OnApp was not available for comment at the time of writing.
“It is unclear how widespread this issue is among other Cloud providers” said Jordon. “By raising awareness of the problem, other service providers of Cloud Infrastructure services can ensure they do not put their customers’ data at risk in the same manner, and customers can undertake the appropriate due diligence before moving to the Cloud.”
Context advises the users of OnApp-based Cloud services to ensure they click on the secure wipe button if they are de-provisioning virtual servers.
It is not just storage drives in the cloud that can keep remains of the data after it has been deleted. Research presented by the ICO at Infosec today suggests that one in 10 second-hand hard drives keep personal data.
How well do you know the cloud? Take our quiz!
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…