Is Someone Reading Your Email in a Dirty Cloud?

Knowledge of how your cloud provider provisions disk space can help an administrator protect their organization’s data, as was recently revealed in a report by Context Information Security.

The security researchers said that provisioning techniques used by two cloud service providers could expose some of their customers’ data to unauthorized eyes.

They found that inadequate separation and isolation of virtual servers and mistakes made when provisioning or de-provisioning those servers can result in data leakage.

The discovery was made while performing a security assessment of some cloud servers operated by Rackspace. During the examination of the Linux servers, the security team uncovered “remnant data” from Rackspace clients.

The remnants found on the server were random data, so it would be difficult for a snoop to target specific customers, but harvesting the remnants would create a trove of information for an intruder that would include personal information, credit card numbers and all kinds of credentials.

Since the unearthing of the vulnerability, Rackspace has fixed it. The company says that the flaw was never exploited nor was any customer data compromised.

The security team uncovered the flaw at Rackspace while provisioning one of its disks. A disk analysis following the provisioning revealed references to a WordPress installation and a MySQL configuration, even though neither of those programs were installed on the newly created virtual server.

Thinking that the physical disk provisioned by the team may have had a “dirty” image of the operating system on it, the researchers duplicated their efforts on a fresh disk. To their surprise, they found more remnant data. This time it was fragments of the company’s customer data base and some Apache server logs.

The security team traced the problem to how the virtual servers were being provisioned. When a server is created, the cloud software allocates the disk space for the virtual machine and writes an image of the operating systems desired by the user to it. Any data previously on the physical disk is still there, and will remain there until it’s overwritten as the disk is used during the course of operations.

If Rackspace wanted to be totally safe, it would “zero out” all the space on the physical disk allocated to the virtual machine. However, doing so is very time consuming. In addition, it hurts the performance of the hypervisor used to manage Rackspace’s virtual servers. So Rackspace got along with configuring its cloud storage the same way they’re configured on a desktop PC.

Similar problems were discovered with another cloud provider, VPS.NET. It uses a popular software platform, OnApp, to manage its cloud. OnApp, by default, turns off zeroing out the physical disk when provisioning a disk. However, when de-provisioning a disk, you can turn on “secure wipe”, which will perform the task.

The data leakage problems identified by the researchers potentially can be found in any environment with multiple users using a shared file system and hardware access to a physical disk. It can also appear in shared hosting systems.

Any hypervisor without an abstraction layer between a virtual machine and a physical disk is susceptible to the problem, they added.

The security team also cautioned that the flaw was a:

“single issue within the implementation of virtual server disk provisioning; it does not mean that the cloud is broken.”

“However,” they added, “due to the simplicity of this issue it does raise questions about the maturity of cloud security testing. This is a significant issue that cloud providers and customers should be aware of.”

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

3 Comments

  1. Andy Lee · May 3, 2012

    Concerning, but not surprising. I trust they’ve taken care of the problem, but this is precisely the kind of risk you run when going to a cloud provider. How they handle their data, hardware, and allocation is solely in their hands, and not someone internally who is focused only on the needs and benefits of the company. Of course, freeing up a person like that to handle other internal tasks is equally invaluable.

  2. Ramir de Guzman · May 5, 2012

    What is the solution to this from a user standpoint? How can we ensure that whatever we put up there are not read or is fully secured?

    Cloud computing certainly has gained mileage and popularity. In fact, most non-tech users prefer it for some of its conveniences. Thanks for this “revelation” as this has surely opened our eyes to some disturbing disadvantages of the cloud. This might be an isolated case but it does not eradicate the possibility that it can happen again.

    Again, I would like to reiterate this: how can we keep our data secure without necessarily letting go of the advantages we enjoy from it?

  3. David Black · May 6, 2012

    I hope that many cloud security gurus read this article because I am afraid many of them are unaware of the technical issues that make confidentiality breaches so easy. Otherwise, when we sign for cloud services, we always know that security is (mostly) out of our control, so we hope that we’ve made a wise choice and the security measures at the provider’s are as they should be.

Leave A Reply