Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Some public cloud providers have "dirty disks", report finds

Data from other customers can still be accessed long after it was meant to be wiped

Article comments

A forensic IT study by a UK security consultancy found that some multi-tenant public cloud providers have "dirty disks" that are not fully wiped clean after each use by a customer, leaving potentially sensitive data exposed to other users.

Last year, officials at Context Information Security conducted a study to determine if they could access data from other customers within public cloud environments of four providers. "We were quite surprised," says Michael Jordan, research and development manager at Context. "Using a pretty straightforward test we were able to view data that had been there a pretty long time."

Context officials, who conducted the study with the permission of the cloud providers, performed a series of disk analysis tests on virtual machines running in the public clouds. The theory was that if the hypervisor is not architected to clear storage disks after each use by a customer, the data can remain on the disk and be accessed by subsequent users. Sure enough, when Context researchers prompted the virtual machines to read the raw data on the disk, they found remnants of previous customers' data.

In one test Context researchers found references to applications that had previously been installed on the disk, while in other cases they found more potentially sensitive data, such as fragments of a website's customer database and logs showing where the data came from. "The remnant data was randomly distributed and would not allow a malicious user to target a specific customer," Context officials wrote in a report describing their testing. "A malicious user who discovered the vulnerability could, however, exploit it to harvest whatever unencrypted data he came across: e.g. personal information, credit cards or credentials."

Vulnerabilities were found in several providers' clouds

Context officials tested cloud service providers Amazon Web Services, Rackspace, VSP.net and Gigenet and found that Rackspace and VSP.net had the vulnerability. Rackspace worked with Context for more than a year to update its system and said it has "fully resolved" the vulnerability and notes that it knows of no customer data being breached. "We have ensured that all data is wiped effectively whenever disk space moves from one customer to the next. And we have cleaned up all fragments of remnant data," a statement from Rackspace reads. VSP.net notified Context that it had patched its system, but provided no additional details. The company did not respond to requests for comment.

VSP.net uses technology from OnApp to run its cloud platform, and officials with that company say after they were alerted of the issue by VSP.net they created a patch that cloud service providers can choose to install that will automatically zero out all disks after use by a customer. Carlos Rego, chief visionary officer for OnApp, says he has not tracked how many of the company's service provider customers have installed the add-on functionality.

"It looks to me like some providers are trading off security for performance," says Bharath Sridhar, director of cloud infrastructure and technology at Zoho, which has Platform-as-a-service and Software-as-a-service offerings. Ideally, virtual machines should not be able to access the root disks, but if that security provision is in place, it can slow the performance of the compute system because each disk has to be overwritten and zeroed out as opposed to just writing over the old data. Virtualisation and cloud technologies need to mature to allow for better performance while maintain that security, and the lack of that so far points to the "growing pains" of the industry, Sridhar says.

Make sure you know what happens to your data

He recommends customers have as much knowledge as possible about the complete life cycle of their data in the public cloud, the specific data retention and data management policies of their public cloud providers and what protections there are to segregate the data once it's in the cloud.

Rego, with OnApp, recommends that customers perform zeroing out processes themselves, even if their provider also zeros out the disks. By running a simple command line in Linux and Windows, customers can zero out the disks, he says.

Others are not surprised by the results. "It's kind of to be expected," says J.B. O'Kane, managing principal at Vigilant, a security and risk consultancy. "It's the same problem we would encounter independent of the cloud related to data governance and what processes and due diligence are in place to protect against vulnerabilities." The situation outlined by Context, he says, is not all that different from data not being zeroed out on a managed hosting, private cloud deployment, or even an old computer that is being thrown away. In all of these contexts, the hard drives should be wiped out after each use. Apparently, he says, it's just not commonplace for that to be done in the cloud yet.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *