How does one revert this without physical access to the drive?
We overwrite our EBS volumes with zeros before deleting them and I was under the impression that should protect us against leakage to other customers.
Naturally it can't protect us against a malicious amazon employee pulling the drive physically (or taking snapshots without our knowledge), but frankly I don't see how your "vendor encryption" helps with that either.
If all I do is set a checkbox to "mark the drive for encryption" then that means
a) You have the encryption key, I don't.
b) The checkbox could just as well be a placebo and not have any effect.
No need to take a 10%-15% performance hit for that.
Firstly we can't comment on the arrangements of other companies for whom we don't have visibility. As a customer you can of course ask them and one would hope they are able to provide you with a full answer. On the blog we raise and answer (in our case) the various aspects for data storage, not just of security but also legal issues and data migration aspects. How many customers currently using an IaaS cloud can answer those questions or get their vendor to provide answers? Building confidence in cloud computing is all about transparency, education and creating secure ways of working. Different users will choose different solutions and regimes that they feel are 'secure' for them and we are all for that. We'd also like people to be able to make informed choices which means having the right information.
Secondly, there is a big difference between a vendor that has sole root access and full visibility of all your data and one that doesn't (as in our case); in our cloud the customer retains sole root access to cloud servers. This means our employees don't have visibility into cloud servers in the way you suggest. Further, as clearly stated in the blog, the issue raised is about data leakage i.e. data being accessible between cloud users. There are other issues regarding vendor security but this doesn't negate the points being made about data leakage.
Finally, your point regarding the encryption being a placebo is specious. There is a big difference between making systems secure against casual data theft/leakage or the actions of rogue employees and a company that is institutionally set up to lie and steal their customers' data. If you think your vendor is actually of that nature then no security measure can help and that's the case for any company you have dealings with. It really isn't a valid criticism of any security measure that may be put in place.
The measures we outline and have implemented on the vendor side do address the real issue of data leakage that occurs with block storage devices in IaaS clouds; they are effective and they are convenient. Our storage performance is generally higher than many other vendors to begin with and we have much feedback from customers regarding this even after using encryption. These customers are getting good performance in a secured cloud. For them it makes sense.
Best wishes,
Patrick
The only people it would theoretically protect me against are your people (those with physical access). And if I don't trust your people then why should I trust your encryption?
The issue of data leakage between customers (who don't have physical access) seems so trivial to prevent to me that I'm honestly wondering if I'm missing something fundamental here.
What's wrong with just making a loopback file and mounting that to the customer node? I had in fact assumed that this is how most clouds do it (for sanity reasons alone, security being the bonus). Hence I'm rather baffled by the whole claim of "data leakage through reading the raw volume".
Has that ever happened on any cloud provider?
Of the first point we outline how data leakage is possible in IaaS clouds. Some may already have measures in place to prevent this. We have our own measures too, some private others public. We offer encryption also as a free and convenient way to secure your data. This has nothing to do with securing physical access which is a totally separate issue. It relates to how customers secure access to their data. As outlined previously we don't have root access or file system level visibility into cloud servers in the way that other vendors generally do (although there are exceptions). As such it does pretty much come down to securing physical access. That isn't the case on other platforms for sure.
Here's another article that you might like (short but sweet) which actually talks directly about EBS and others and the problem of 'data remanance' in a way we can't as a competing vendor:
http://elastic-security.com/2010/01/07/data-remanence-in-the...
Here's an interesting quote:
"The technique of overwriting file sectors does not work without the collaboration of the cloud provider. You are not given access to the physical device, but only to higher level abstractions like file-systems (e.g. Amazon EBS) or key-value based APIs (e.g. Amazon S3). "
I'll get back to you on the loopback technique once I've spoken with the relevant storage guys in our company for feedback.
Kind regards,
Patrick
I know this was a rhetorical question, but I'll answer anyway: It isn't possible. Not only is there no way to read latent data normally from a drive that has been zeroed (drives that fail this test are called "defective"), but it is currently understood that recovering data from a modern drive that has been overwritten with a single pass of random data is impossible at any expense.
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html#E...
However, data can still leak out of cloud stores in the same way that it leaks out of solid-state disks and even magnetic disks: there's no guarantee that a given logical block will always be mapped to the same underlying hardware. A mirrored drive may be fail and thrown in the trash with data still on it, or written blocks might be mapped to different places in an array for any number of reasons. This shouldn't result in leakage to other customers although it is up to the vendor to make sure this doesn't happen.
Depending on the implementation, vendor-supplied encryption may or may not mitigate this risk, but customer-supplied encryption always will because the customer knows where the dividing line stands.
For those deleting virtual drives in the cloud securely the points made in the post might seem obvious but I believe most users in the cloud don't undertake such measures. That's why the encryption option is another way to go and implicit so much more likely to be taken up by cloud users.
Customer side encryption is great and of course usually means access is restricted to the customer, the issue is server restarts, crashes etc. which require manual intervention to get the file system or data directories back up and running again. In a dynamic cloud environment this can be particularly cumbersome.
Best wishes,
Patrick