Earlier this week, Context Information Security revealed the astonishing findings of its investigation into a sampling of four cloud service providers (CSPs) – Amazon EC2, Gigenet, Rackspace and VPS.net. Context found unpatched systems, missing antivirus and back doors left open, leaving cloud customers vulnerable to attacks and breaches.
Perhaps the most dismaying finding from U.K.-based Context’s investigation was the discovery of remnant data left behind by previous cloud customers. As part of its research, Context created virtual machines (VMs) on the CSPs platforms, and was able to see data stored by previous tenants on Rackspace and VPS.net disks. (VPS was using the OnApp platform.) Context referred to this finding as the “dirty disk” problem.
At first it may seem Context’s report serves as notice to CSPs that they are falling short of basic security expectations. Yet, in many ways, the problems can be tied to customers’ own shortcomings. Too often, customers count on their CSP to lock down their applications and safeguard their data, even though most CSPs explicitly state these precautions are not included in their standard offerings. Unfortunately, this sometimes comes as an unpleasant surprise for customers.
The base service offered by many CSPs does not include antivirus, patching or data deletion services. To protect their data security, cloud computing customers need to treat VMs in the cloud as if they were on-site servers. Customers must adopt a “do-it-yourself” (DIY) mindset and apply their own security applications and procedures to their cloud implementation, or pay their CSP for more security services.
The four CSPs investigated by Context are likely representative of the data security problems to be found on all cloud platforms. Companies storing data in the cloud need to act quickly to find out how their CSP is protecting the confidentiality of their data, and do their part in protecting their data in the cloud.