Research by Context Information Security, conducted last year and published yesterday, has uncovered data security flaws in the cloud infrastructure services of several providers, including Rackspace and VPS.NET.
The problem lies in data separation between virtual machines using the same storage drives. The vulnerability could give attackers unauthorised access to deleted customer data that is still invisibly present on the drives. The simplest solution is to “zero” format the hard drives after files have been deleted, making the information unrecoverable.
While Rackspace gave Context access to their engineers, executives and processes to fix the vulnerability, VPS.NET says it has resolved the problem on its own own by rolling out a patch.
Context warns that OnApp Cloud solution, on which VPS.NET is based, is used by over 250 cloud providers worldwide, and there could be thousands of virtual machines at potential risk.
Context also tested the cloud market leader Amazon, as well as another provider, Gigenet, and gave them both a clean bill of health over so-called “dirty disks”. However, with servers hosted on Rackspace and VPS.NET, Context managed to gain access to fragments of customer databases and elements of system information that could potentially give an attacker control over hosted servers.
“This does not mean that the Cloud is unsafe and the business benefits remain compelling, but the simplicity of this issue raises important questions about the maturity of Cloud technology and the level of security and testing undertaken in some instances,” he added.
Since March last year, Rackspace has worked closely with Context to identify and fix the potential vulnerability, which was found among some users of its now-legacy platform for Linux Cloud Servers.
The company has long been “zeroing” the disk areas that were occupied by virtual machines, but this operation was not effective in all instances.
“For Rackspace the issue was in their use of Xen Classic in a configuration which was insecure. Other hypervisors could also be configured in this fashion. We tested four providers and two had the issue, so there is a good chance that other providers will have made the same mistake,” a spokesman for Context told TechWeekEurope.
The company later tested Rackspace’s current cloud platform, as well as its new Cloud computing solution based on OpenStack, and has confirmed that the security vulnerability has been resolved. Rackspace has claimed that to date, no customer data was seen or exploited in any way by any unauthorized party.
VPS.NET told Context that it took 15 days to roll out a patch which fixed the issue. However, its service is based on OnApp – a complete Cloud solution, used across the globe by more than 250 providers, and available to buy off-the-shelf.
“OnApp seem to take the view that cost is more important than security,” said a spokesman for Context. OnApp was not available for comment at the time of writing.
“It is unclear how widespread this issue is among other Cloud providers” said Jordon. “By raising awareness of the problem, other service providers of Cloud Infrastructure services can ensure they do not put their customers’ data at risk in the same manner, and customers can undertake the appropriate due diligence before moving to the Cloud.”
Context advises the users of OnApp-based Cloud services to ensure they click on the secure wipe button if they are de-provisioning virtual servers.
It is not just storage drives in the cloud that can keep remains of the data after it has been deleted. Research presented by the ICO at Infosec today suggests that one in 10 second-hand hard drives keep personal data.
How well do you know the cloud? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…