Cloud computing: Beware of the safety of your legacy data

Last year, Information security advisor Http://www.aliyun.com/zixun/aggregation/16455.html ">context was employed by a significant number of clients to conduct information security surveys, mainly for banks and other high-end customers, They are seriously concerned about security issues to determine whether cloud computing is safe enough for their computing needs





context has studied four cloud service providers: Amazon, Rackspace, Vps.net, and GigE NET Cloud. A number of potential security vulnerabilities were found in the services of two cloud service providers, which allowed access to data left by other customers.

"We are concerned about the unallocated portion of the disk. Said Michael Jordan, the manager of the context company's research and development department. "We can go into view, some data. And these data stored on the hard disk is not our own enterprise hard disk data. "

Legacy data even includes personally identifiable information

The legacy data that Jordan and his research team discovered, including some personally identifiable information, include customer database and system information elements such as Linuxshadow files (including system hash codes).

Jordan points out that the typical users of these information cloud services are not very obvious and must seek to find them. In addition, he added, the rest of the data was distributed randomly and would not allow malicious users to compromise on specific customers. But malicious users who have found these unencrypted data may use the data for profit.

"After reviewing the new provisioning hard drive of the latter vendor, we found something interesting and unexpected." "Jordan and the context Chief Advisor James Fossio their findings in a blog post," he said. "This involves a setup of WordPress and a MySQL configuration, even if no virtual server is installed." "

This is expected to be just an operating system image, creating a second virtual server and testing in the same way. Surprisingly, the data is completely different in this case exposing a website's user database and determining that the server's data is from Apache log fragments. This confirms that the data is not from our configured server.

Admin program incorrectly configured

The problem, says Jordan, is related to the way suppliers supply new virtual servers and how they allocate new storage space. On the front end, when the client creates a new virtual server, they use the cloud service provider's website to select the operating system and the storage they need.

At the back end, the vendor aggregates disk space to contain the virtual image and then overwrites the initial disk with a pre-configured OS image.

"This means that only the initial disk is full of initialization data and the remaining disks will never be explicitly written to the configuration period." Jordan and Forshaw wrote. "If this assignment is executing the file APIs using the host operating system, this is usually not a problem." The operating system will ensure that any uninitialized data is automatically zeroed (or, in this case, a virtual machine) before returning to the user application. Obviously, in this case, it does not use these mechanisms.

Jordan pointed out that because this problem is a method of configuring the management program, it may affect the hosting provider and the cloud service provider.

Two suppliers, Rackspace and Vps.net, have reported that they have patched up the vulnerabilities. It is said that Rackspace has begun to work closely with the context company to address this problem by inviting the case investigators to their headquarters and providing them with the authority of research engineers, managers and process executives. Vps.net uses Onapp technology, and Onapp technology is used by at least 250 other cloud service providers. Vps.net told the context that they had introduced a patch to solve the problem.

Jordan points out that the problem should not prevent companies from using IaaS if they have strong business needs. But he advises customers to use the cloud according to best practices.

"If you are a new customer, you have a lot of choices." "he said. "You can make sure that your data is encrypted on your hard disk, so that even if someone gets access to some part of the disk, they can't see the encrypted data." "

Jordan also advises you to ask your service provider questions about their processes, including how to manage program provisioning and cancel provisioning. In addition, he noted, it is the customer's responsibility to harden the virtual servers provided by service providers, including checking out the backdoor of any vendor using the Management Server.

(Responsible editor: The good of the Legacy)