How your data gets compromised in an IaaS cloud: Vendor tells all (opens in new tab)

(cloudsigma.com)

26 pointscloudsigma15y ago24 comments

24 comments

15 comments · 4 top-level

trotsky15y ago· 4 in thread

I don't understand why a zero wipe isn't sufficient when provisioning the storage. At least for this purpose it would seem to achieve the same result as encryption with much less complexity and no ongoing overhead. AWS takes a long time to provision new EBS storage, does anyone know what's going on there?

cloudsigmaOP15y ago

Simply overwriting with zeros isn't a 100% fix by any means and actually it does involve writing perhaps 1TB of data in sequence. For any storage array that's a lot of data to write. It doesn't matter if its 0s or something else. Better is to use random data but even so you still have forensic techniques to revert this.

You say encryption is complicated but actually as a vendor its implicit in our system. As a customer you just mark the drive upon creation and then its invisible to both you as a customer and the cloud servers that are using the drive. That's really the whole idea, to make security measures that are convenient so people actually use them. Our customers see usually about a 10%-15% performance difference and we've got pretty high storage performance to begin with so it rarely means taking a performance hit compared with other platforms. We also allow multiple drives so users can categorise data by drives for encryption or not. Of course I'm biased regarding performance but the principles stand.

The other point of the blog post is to ask; what do other vendors do and do their customers have the ability to find out? Security through obscurity isn't an acceptable approach in the cloud. Everyone needs to be transparent and work to build confidence through solid information and education on how to use the cloud securely and effectively.

Kind regards,

Patrick

moe15y ago

Better is to use random data but even so you still have forensic techniques to revert this.

How does one revert this without physical access to the drive?

We overwrite our EBS volumes with zeros before deleting them and I was under the impression that should protect us against leakage to other customers.

Naturally it can't protect us against a malicious amazon employee pulling the drive physically (or taking snapshots without our knowledge), but frankly I don't see how your "vendor encryption" helps with that either.

If all I do is set a checkbox to "mark the drive for encryption" then that means

   a) You have the encryption key, I don't.
   b) The checkbox could just as well be a placebo and not have any effect.

Thus we're back to square 1 and the same old question: "Do I trust you?"

No need to take a 10%-15% performance hit for that.

2 more replies

gxti15y ago

If I were writing a block provisioning system I would keep a map of what blocks have not yet been written to and always read zero for those blocks. Then the first time it is written, allocate a block that has already been zeroed out. This way I don't waste time and electricity zeroing entire volumes before they are allocated or after they are deleted because there is just one pool of same-sized blocks to draw from. Choosing the block size to strike a balance between allocation delay and cost of blanking is an exercise left to the reader.

cloudsigmaOP15y ago

That's a possibility, the concern is the performance implications, particularly latency involved in operating such a system which needs to interrogate every data access. The question is whether such a system would have more of a performance hit than simply encrypting (with the added advantages that has anyway).

Best wishes,

Patrick

patio1115y ago· 3 in thread

This is a big issue in certain verticals. In my early research for AR I looked into the interaction of HIPAA (an American privacy law for medical information) and cloud hosting. My brief educated layperson's conclusion: sensible default settings at your cloud service of choice almist certainly lead you to be OMGWTF noncompliant. I immediately moved medical providers out of scope, because it looked like there were, minimally, several months of engineer time needed to merit a finding of compliance, plus whatever costs/effort it would take to deal with the lawyers.

cloudsigmaOP15y ago

A lot of the compliance issues come from the mixing of infrastructure and the software and networking layers with many IaaS providers. In our cloud only the customer has root access and file system visibility. Essentially the cloud vendor then needs to demonstrate compliance with physical access and data protection/data leakage areas as employees don't have the ability to view data. This isn't a typical situation and for most clouds that are more like IaaS/PaaS hybrids it opens quite a can of worms.

As a Swiss based cloud currently we'd be excluded from many US industry sectors which required domestic hosting. This will change shortly (can't say more) and when it does we'll be working to put in place the necessary coverage/compliance certificates to expand into these sectors.

Best wishes,

Patrick

samd15y ago

My layman's conclusion of HIPAA and cloud hosting was that the language of the law was vague and technologically out of date, and that depending on how you interpreted its requirements you'd be either OK or OMGWTF noncompliant.

It's too bad because the medical space is in dire need of innovation and there's a lot of money to be made.

cloudsigmaOP15y ago

There's definitely huge opportunities in the medical sphere. We do have customers from this sector in our cloud although how they handle client data is always very strictly controlled and I think its fair to say that only a subset of the potential is being realised properly in terms of the broader market.

Kind regards,

Patrick

rworthington15y ago· 3 in thread

Do you guys know what the situation is with GoGrid? I've been using them for about 6 months now but I've not been using encryption. Am I exposed to data leakage in the way you outline in your blog post?

cloud-geek15y ago

Any service that reuses the same physical drive space should be vulnerable unless they either store encrypted or do secure deletion. Having used secure deletion before on dedicated hardware it is really hitting the drive performance. That is why I am guessing vendors don't use secure deletion. Using encryption overall looks more efficient overall.

cloudsigmaOP15y ago

Secure deletion on physical spindles is extremely resource heavy especially if someone is deleting a very large drive.

Storing encrypted first does affect performance but it is generally much less and more predictable (doing a big secure delete on a drive inflicts an immediate and unexpected hit on that part of a storage array).

We think encryption is also just a lot more robust. If you don't lay down the data in the first place in readable form on the physical drives, its eliminates a lot of data leakage possibilities.

Best wishes,

Patrick

moe15y ago

Sorry, but this is really bordering on FUD here.

Have you ever looked at a freshly mounted EBS volume on EC2? It shows all zero's for me. And I'm almost sure that was not just a coincidence for the volumes I looked at.

Moreover there are more efficient ways than encryption or "full sweep overwrite" to address this at the storage-level.

1 more reply

notmyname15y ago· 1 in thread

FWIW, non-block storage services (like Rackspace Cloud Files and S3) should not be vulnerable to these info leaks. I cannot speak to the S3 backend, but this sort of attack would not be possible with Cloud Files. Of course, the use case is a little different when you don't have access to a block-level device.

cloudsigmaOP15y ago

Yes we believe that's the case too however like you say, object orientated storage services are a different use case to block-level storage devices. Customers running their own databases for example can have these data leakage issues if they aren't careful.

Best wishes,

Patrick

j / k navigate · click thread line to collapse

24 comments

15 comments · 4 top-level

trotsky15y ago· 4 in thread

cloudsigmaOP15y ago

Kind regards,

Patrick

moe15y ago

Better is to use random data but even so you still have forensic techniques to revert this.

How does one revert this without physical access to the drive?

We overwrite our EBS volumes with zeros before deleting them and I was under the impression that should protect us against leakage to other customers.

If all I do is set a checkbox to "mark the drive for encryption" then that means

   a) You have the encryption key, I don't.
   b) The checkbox could just as well be a placebo and not have any effect.

Thus we're back to square 1 and the same old question: "Do I trust you?"

No need to take a 10%-15% performance hit for that.

2 more replies

gxti15y ago

cloudsigmaOP15y ago

Best wishes,

Patrick

patio1115y ago· 3 in thread

cloudsigmaOP15y ago

Best wishes,

Patrick

samd15y ago

It's too bad because the medical space is in dire need of innovation and there's a lot of money to be made.

cloudsigmaOP15y ago

Kind regards,

Patrick

rworthington15y ago· 3 in thread

cloud-geek15y ago

cloudsigmaOP15y ago

Secure deletion on physical spindles is extremely resource heavy especially if someone is deleting a very large drive.

We think encryption is also just a lot more robust. If you don't lay down the data in the first place in readable form on the physical drives, its eliminates a lot of data leakage possibilities.

Best wishes,

Patrick

moe15y ago

Sorry, but this is really bordering on FUD here.

Have you ever looked at a freshly mounted EBS volume on EC2? It shows all zero's for me. And I'm almost sure that was not just a coincidence for the volumes I looked at.

Moreover there are more efficient ways than encryption or "full sweep overwrite" to address this at the storage-level.

1 more reply

notmyname15y ago· 1 in thread

cloudsigmaOP15y ago

Best wishes,

Patrick

j / k navigate · click thread line to collapse