Context Information Security recently published a white paper [PDF file] warning of a significant vulnerability in some providers' implementations of cloud infrastructure services.
"By exploiting the vulnerability, which revolves around data separation, Context consultants were able to gain access to some data left on other service users' 'dirty disks,' including fragments of customer databases and elements of system information that could, in combination with other data, allow an attacker to take control of other hosted servers," the company said in a statement.
"The vulnerability itself is in the way in which some providers automatically provision new virtual servers, initialise operating systems and allocate new storage space," SC Magazine reports. "For performance reasons or due to errors, security measures to provide separation between different nodes on a multi-user platform sometimes are not implemented, making it possible to read areas of other virtual disks and so gain access to data which exists with the physical storage provider."
"In the cloud, instead of facing an infrastructure based on separate physical boxes, an attacker can purchase a node from the same provider and attempt an attack on the target organisation from the same physical machine and using the same physical resources," Context research and development manager Michael Jordon said in a statement. "This does not mean that the Cloud is unsafe and the business benefits remain compelling, but the simplicity of this issue raises important questions about the maturity of Cloud technology and the level of security and testing undertaken in some instances."
"Context’s Jordon said the research reveals a lack of maturity in the cloud service market, and indicates companies still need to do more to boost security," writes SearchSecurity.co.UK's Ron Condon. "He warned customers to view any cloud-based servers as they would any other Internet-facing server. 'You have to remember that these servers are in a hostile environment, they are not in your server room anymore, and you have to look after security,' Jordan said."