05:46 PM
Connect Directly

Are Your Secrets Safe In The Cloud?

With so much data being hosted in the cloud, companies need to look at side-channel attacks to make sure they know who has access to their data and how to keep it secret

Companies worried about the security of their data in the cloud have generally taken the obvious steps to protect their most valuable information, including encrypting sensitive data and using strong authentication to prevent access.

Yet there are a number of less obvious ways of leaking information, and ongoing research has shown that customers of cloud services -- even cloud security services -- need to worry about their data. For example, identity and access management systems may lock down a user's password and credentials, but miss the fact that the resource accessed and the frequency with which its accessed is valuable information. In other cases, API calls to a service can carry information about which features a company is accessing as well as other details.

These so-called "side-channel attacks" in Web services are not new, but with the popularity of cloud services, they are becoming more serious, says Carl Herberger, vice president of security solutions for cloud-application security provider Radware.

"The number of information [channels] out there is going to increase dramatically, so I expect the situation to get worse," he says.

Side-channel attacks analyze traffic patterns and control signals to gain information about communications content. In 2010, a research paper by Indiana University at Bloomington and Microsoft Research found that such attacks can glean a significant amount of information about a user's actions on software-as-a-service offerings. The paper found that popular online applications and services leak a significant amount of information, such as sensitive medical conditions in a healthcare service and income information in a tax preparation service.

[ Careless -- and occasionally malicious -- Web-browsing users might be the most serious threat to your organization's data. Here are some tips for keeping it safe. See How To Keep Your Users -- And Your Data -- Safe On The Web. ]

Other research efforts highlight similar danger. In 2009, computer scientists from the University of California at San Diego and MIT found that attackers could exploit the virtualized infrastructure of compute clouds to instantiate virtual machines that could then attempt to gather information on other customers' VMs on the same physical server. A 2010 paper by researchers at IBM and Bar Ilan University found that storage clouds that used deduplication across customers' data could leak information about the file names and content to others.

Many of these issues are endemic to multitenanted cloud services, or the fact that third-party cloud providers add another channel through which attackers or investigators can get access to a company's data. Just by placing its data in the cloud, a company potentially opens up the information to access by law enforcement or civil court orders without being notified.

Many cloud providers have stated that they will support their customers' rights to decide what happens with the data, but they are bound to follow the law, says John Howie, chief operation officer with the Cloud Security Alliance.

"Every cloud provider has pretty much said, 'If we get a court order, a subpoena, or any other legal vehicle which will allow access to data which we can disclose, we will refer to the government or the court to the owner of that data,'" he says.

Yet unless a company controls its data in its own data center, it's hard to secure it, say Peter Wayner, a consultant and author of "Transluscent Databases."

"Unless you got the servers in your own secure facility, and you have your own people watching them, you have this problem with cloud or with any colocations," he says.

Companies' employees can create their own channel to leak information by using unapproved services to store or communicate sensitive business data. Workers use consumer applications and cloud services on their own devices, and, in many cases, these services are indexing and analyzing the data for ad sales, but can expose it in other ways, as well. Recently, for example, IBM decided to bar a number of applications in the cloud, including Apple's Siri voice recognition service, because it feared the services will store employees' queries in the cloud.

"People are using the cloud in ways that companies and enterprises aren't thinking about," CSA's Howie says.

Free cloud services generally make their revenue by profiling users for ad services or display advertisements. A crafty attacker could find ways of profiling individual users, he says.

Companies need to educate their employees about the danger of placing business data in consumer cloud services. In addition, businesses should discuss potential data leakage with cloud providers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/30/2012 | 4:22:12 PM
re: Are Your Secrets Safe In The Cloud?

Seems like many
organizations are still struggling with what method is best suited to add
additional layers of authentication for access and transaction verification
without unreasonable complexity. I've noticed many of the global Cloud providers
are moving to the use of some form of 2FA (two-factor authentication) where the
user is asked to telesign into their account by entering a one-time PIN code
which is delivered to your phone via SMS or voice. Or if you don't want to do
this every single time, some offer the option to designate your smartphone, PC,
or tablet as a trusted device and they will allow you to enter without the text
code. Should an attempt to login from an unrecognized device happen, it would
not be allowed.

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.