• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   Researchers uncover security flaws in cloud architecture

Researchers uncover security flaws in cloud architecture

  • Posted on:June 28, 2012
  • Posted in:Cloud Computing
  • Posted by:
    Noah Gamer
0

One of the most significant obstacles facing cloud services in their brief but influential history has been the perception that the technology is inherently less secure than onsite, legacy alternatives. This line of reasoning has been driven by subjective opinion and anecdotal evidence as much as anything else, but a recent analysis conducted by information security specialists at Context may provide objective supporting evidence to those theories.

Last month, Context researchers conducted an exhaustive assessment of four major cloud providers and supplied a related whitepaper touching on subjects ranging from business use cases to service level agreements and data security risks. Researchers have since revealed the identities of the cloud providers whose systems were placed under the microscope and raised red flags on a series of infrastructural vulnerabilities that could be quite prevalent in the field.

Not surprisingly, the issue concerns the concepts of resource sharing and multi-tenancy that are central to cloud infrastructure. According to the report, researchers were able to exploit a systemic weakness in data separation protocols that allowed them to gain access to the so-called "dirty disks" of separate service users in the cloud environment. These sensitive resources contained information ranging from fragments of customer databases to system intelligence that could enable savvy hackers to take control of neighboring servers.

"In the cloud, instead of facing an infrastructure based on separate physical boxes, an attacker can purchase a node from the same provider and attempt an attack on the target organization from the same physical machine and using the same physical resources," Context research and development manager Michael Jordon explained. "This does not mean that the cloud is unsafe – and the business benefits remain compelling – but the simplicity of this issue raises important questions about the maturity of cloud technology and the level of security and testing undertaken in some instances."

As Jordon explained in an interview with TechTarget, hackers could essentially purchase a virtual machine from a cloud provider through legitimate means and then read and copy data remnants left in the newly provisioned storage space by former tenants. They could then refine this technique to increase speed of data collection via automation or train their tools to locate select materials such a credit card numbers of login credentials.

This issue was initially identified on a Linux server being hosted by cloud provider Rackspace. The company has since patched the vulnerabilities following the test trial. VPS.NET, a separate participant in the study, has reportedly addressed the issue as well – although Context researchers were unable to corroborate these claims with additional testing.

By digging a bit deeper to add perspective to the study, Context analysts found that VPS.NET is based on OnApp technology, a series of proprietary systems used by more than 250 cloud providers around the world. OnApp officials confirmed that its protocol is to allow customers to opt-in to data wiping services that would prevent the "dirty disk" vulnerability. This practice, according to Context, could be leaving thousands of underinformed clients out in the cold and at significant risk.

Context report authors suggested that this fundamental flaw could apply to any circumstances in which "direct hardware access to the disk" is provided to users accessing a shared file system, whether or not it is cloud-based.

In the end, researchers cautioned against any notions that cloud security is inherently "broken." However, the surprisingly simple nature of the exploited vulnerability should serve as a lesson to cloud providers that it is well past time to shore up fundamentals through diligent testing.

Cloud Security News from SimplySecurity.com by Trend Micro

Related posts:

  1. Researchers uncover security flaws in cloud architecture
  2. Researchers uncover flaws in online privacy tools
  3. Researchers uncover more malware targeting Android users
  4. Report: Security key for cloud IT architecture

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.