We’ve written before about the security precautions companies must take before they use cloud computing services to store data. Here’s one key measure you may want to make sure your cloud vendors take – because a new study says many don’t.
Some major cloud storage providers fail to properly wipe disks after customers use them, according to a recent study conducted by UK security consulting firm Context Information Security. That could enable users of those services to download other organizations’ data.
Cloud storage services are built around virtual machines, which means that customers’ storage might move around to different physical locations, or physical disks will change hands when a company stops using the service. The problem is that if those disks aren’t thoroughly wiped after each use, there might be remnants of data left that can be rescued by someone else with access to that disk.
And drives are not being wiped properly in many cases, according to Context’s research. The firm tested cloud services from Amazon Web Services, Rackspace, VSP.net and Gigenet.
Rackspace and VSP.net were found to have a vulnerability that allowed researchers to find remnants of old customer data.
When researchers provisioned a new virtual server in those providers’ networks, they were able to uncover data present on the physical disk that wasn’t contained in the virtual machine. For example, in one case, researchers found references to applications that weren’t installed on the virtual server, but had been installed by a virtual machine that used to be housed on the same server.
Other tests uncovered more sensitive data in the same way, including fragments of a website’s customer database. The most recent data found was less than a week old, and researchers also reported finding data that had remained on the disks for a long time.
Both Rackspace and VSP.net told Context that the issue has been fixed. However, researchers pointed out that VSP.net’s service is based on technology from OnApp that is used by more than 250 other providers, so those providers might also be affected by the vulnerability.
What can customers do to protect their data from this and other vulnerabilities when it’s held by cloud computing service providers? Context recommends businesses talk to cloud vendors they’re using or are considering to find out if their data is at risk. Some providers may offer different options for how data is wiped when servers are de-provisioned.
Also, following best practices while using cloud computing services — such as making sure all sensitive data is encrypted — can help companies protect themselves.