Knowledge of how your cloud provider provisions disk space can help an administrator protect their organization’s data, as was recently revealed in a report by Context Information Security.
The security researchers said that provisioning techniques used by two cloud service providers could expose some of their customers’ data to unauthorized eyes.
They found that inadequate separation and isolation of virtual servers and mistakes made when provisioning or de-provisioning those servers can result in data leakage.
The discovery was made while performing a security assessment of some cloud servers operated by Rackspace. During the examination of the Linux servers, the security team uncovered “remnant data” from Rackspace clients.
The remnants found on the server were random data, so it would be difficult for a snoop to target specific customers, but harvesting the remnants would create a trove of information for an intruder that would include personal information, credit card numbers and all kinds of credentials.
Since the unearthing of the vulnerability, Rackspace has fixed it. The company says that the flaw was never exploited nor was any customer data compromised.
The security team uncovered the flaw at Rackspace while provisioning one of its disks. A disk analysis following the provisioning revealed references to a WordPress installation and a MySQL configuration, even though neither of those programs were installed on the newly created virtual server.
Thinking that the physical disk provisioned by the team may have had a “dirty” image of the operating system on it, the researchers duplicated their efforts on a fresh disk. To their surprise, they found more remnant data. This time it was fragments of the company’s customer data base and some Apache server logs.
The security team traced the problem to how the virtual servers were being provisioned. When a server is created, the cloud software allocates the disk space for the virtual machine and writes an image of the operating systems desired by the user to it. Any data previously on the physical disk is still there, and will remain there until it’s overwritten as the disk is used during the course of operations.
If Rackspace wanted to be totally safe, it would “zero out” all the space on the physical disk allocated to the virtual machine. However, doing so is very time consuming. In addition, it hurts the performance of the hypervisor used to manage Rackspace’s virtual servers. So Rackspace got along with configuring its cloud storage the same way they’re configured on a desktop PC.
Similar problems were discovered with another cloud provider, VPS.NET. It uses a popular software platform, OnApp, to manage its cloud. OnApp, by default, turns off zeroing out the physical disk when provisioning a disk. However, when de-provisioning a disk, you can turn on “secure wipe”, which will perform the task.
The data leakage problems identified by the researchers potentially can be found in any environment with multiple users using a shared file system and hardware access to a physical disk. It can also appear in shared hosting systems.
Any hypervisor without an abstraction layer between a virtual machine and a physical disk is susceptible to the problem, they added.
The security team also cautioned that the flaw was a:
“single issue within the implementation of virtual server disk provisioning; it does not mean that the cloud is broken.”
“However,” they added, “due to the simplicity of this issue it does raise questions about the maturity of cloud security testing. This is a significant issue that cloud providers and customers should be aware of.”