Exposing the cracks in cloud security

Put simply, one of the principal benefits of cloud computing is that the user does not need to worry about the hardware configuration powering their IT services. But the flipside of the same coin is that they do not have visibility into that configuration.

This lack of visibility is the source of much of the anxiety surrounding the security of the cloud. Organisations cannot abrogate responsibility for their data, even if they outsource IT infrastructure management.

Last year, security consultancy Context took an in-depth look at four established cloud providers in order to audit their security measures. It released the results of its investigation last month, having given each company a year to fix the flaws that it exposed.

It found that two of the four cloud providers, Rackspace and VPS.NET, had serious security vulnerabilities. In each case, Context was able to access remnants of data belonging to previous customers, by reading “beyond the file system” of virtual machines that it rented from the companies. This means using a command line instruction that reads data from a specific portion of the underlying disk, even if there is no data there according to the file system.

The data fragments they discovered, Context analysts Michael Jordon and James Forshaw said in a blog post, “included some personal identifiable information, such as parts of customer databases and elements of system information such as Linux shadow files (containing the system’s password hashes)”.

Rackspace worked with Context to understand how residual data had been read from newly provisioned servers, and fixed the problem. The company had been using the open source hypervisor Xen Classic to create virtual machines on top of physical servers. When the hypervisor creates a new machine, a section of physical disk is allocated too, but that could be read by an attacker who “knows how to read beyond the file system,” Context said.

This was a problem because completely wiping disks before a new virtual machine could be provisioned would have taken Rackspace too long and adversely affected the performance of the hypervisor. But data remains on disk in binary form even after it is deleted, so Rackspace had to ensure that customer data was overwritten with zeros every time a virtual machine was decommissioned, an intensive task.

After Context alerted Rackspace to the flaw in March last year, it migrated thousands of servers from Xen Classic to Citrix’s XenServer. That hypervisor uses an ‘abstraction layer’ that prevents users from reading portions of the physical disk without writing to it first, meaning customers can only see their own data. When Context re-tested Rackspace’s cloud servers, it found no data remnants.

‘Dirty disks’, as Context calls them, are just one of the concerns around the security of cloud infrastructure providers. If companies like Rackspace were vulnerable to data extraction using techniques which Context described as “not difficult at all”, then what other issues might be lurking?

Assesing cloud security

One of the problems with entrusting critical business information to cloud infrastructure is the lack of industry standards around a relatively new technology.

John Pescatore, Gartner’s cloud analyst, examined this problem in a paper published at the end of last year, suggesting that cloud security standards will not mature until the second half of 2012. Most cloud providers offer no transparency into their security practices, and the expense of hiring a specialist to test every cloud service in consideration would make the entire cloud proposition less attractive.

Instead, Pescatore offered guidelines for organisations considering cloud service adoption, and presented a case for spending more on sufficiently security cloud infrastructure.

“A single security incident where 10,000 customer records are exposed can result in costs of more than $1.5 million (£940,000) in a single year,” he wrote. “[Sufficient security] to protect the data may only raise costs by $30 to 50/user/year, costing less than one-third the expense of an incident.”

To help businesses find those more secure cloud services in the absence of mature industry standards, Pescatore laid out some important features of secure cloud infrastructure: these included two- factor authentication for access to administrative controls, annual ISO27001 audits and documented controls for the separation of customers’ data.

Good encryption can help solve both segregation and external threat problems, says Sophos CTO Gerhard Eschelbeck. This means not just introducing encyrption, but also managing encryption keys – the codes to decrypt information – properly.

Eschelbeck says there are two ways to manage keys in a cloud environment. Customers can either keep control of their own key management, ensuring that data remains encrypted in transit between the client and the cloud, or key management can be built into the cloud itself on a per customer basis.

“In the long run, people will be very comfortable leveraging key management in the cloud,” Eschelbeck says. “But today customers are more comfortable with local key management, and pushing data into the cloud already encrypted. They already have infrastructure in place to manage those keys internally, and there’s the benefit that data will never leave their network unencrypted.”

Local key management might be preferable for a large organisation that already has similar infrastructure in place, but for smaller or newer businesses, entrusting the entire security proposition to a cloud provider might be preferable, Eschelback says. “Absolute security is always traded against convenience in our industry,” he adds.

Although public cloud providers face tricky issues around data segregation, they do arguably have other security advantages. Economies of scale mean they can afford to stay up to date with the latest hardware and software. Organisations that build their own private clouds may not have this advantage, but they may also be a less appealing target for hackers.

A middle road is offered in the form of virtual private data centres, or virtual private clouds, in which scalable, rented IT resources are hosted on dedicated infrastructure. However, this kind of service, offered by providers including Savvis, Virgin Media Business and Amazon itself, is typically more expensive that purely public cloud offerings.

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media (now Bonhill Group plc) from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The...

Related Topics

Cloud Security