Risk
5/29/2012
05:46 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Are Your Secrets Safe In The Cloud?

With so much data being hosted in the cloud, companies need to look at side-channel attacks to make sure they know who has access to their data and how to keep it secret

Companies worried about the security of their data in the cloud have generally taken the obvious steps to protect their most valuable information, including encrypting sensitive data and using strong authentication to prevent access.

Yet there are a number of less obvious ways of leaking information, and ongoing research has shown that customers of cloud services -- even cloud security services -- need to worry about their data. For example, identity and access management systems may lock down a user's password and credentials, but miss the fact that the resource accessed and the frequency with which its accessed is valuable information. In other cases, API calls to a service can carry information about which features a company is accessing as well as other details.

These so-called "side-channel attacks" in Web services are not new, but with the popularity of cloud services, they are becoming more serious, says Carl Herberger, vice president of security solutions for cloud-application security provider Radware.

"The number of information [channels] out there is going to increase dramatically, so I expect the situation to get worse," he says.

Side-channel attacks analyze traffic patterns and control signals to gain information about communications content. In 2010, a research paper by Indiana University at Bloomington and Microsoft Research found that such attacks can glean a significant amount of information about a user's actions on software-as-a-service offerings. The paper found that popular online applications and services leak a significant amount of information, such as sensitive medical conditions in a healthcare service and income information in a tax preparation service.

[ Careless -- and occasionally malicious -- Web-browsing users might be the most serious threat to your organization's data. Here are some tips for keeping it safe. See How To Keep Your Users -- And Your Data -- Safe On The Web. ]

Other research efforts highlight similar danger. In 2009, computer scientists from the University of California at San Diego and MIT found that attackers could exploit the virtualized infrastructure of compute clouds to instantiate virtual machines that could then attempt to gather information on other customers' VMs on the same physical server. A 2010 paper by researchers at IBM and Bar Ilan University found that storage clouds that used deduplication across customers' data could leak information about the file names and content to others.

Many of these issues are endemic to multitenanted cloud services, or the fact that third-party cloud providers add another channel through which attackers or investigators can get access to a company's data. Just by placing its data in the cloud, a company potentially opens up the information to access by law enforcement or civil court orders without being notified.

Many cloud providers have stated that they will support their customers' rights to decide what happens with the data, but they are bound to follow the law, says John Howie, chief operation officer with the Cloud Security Alliance.

"Every cloud provider has pretty much said, 'If we get a court order, a subpoena, or any other legal vehicle which will allow access to data which we can disclose, we will refer to the government or the court to the owner of that data,'" he says.

Yet unless a company controls its data in its own data center, it's hard to secure it, say Peter Wayner, a consultant and author of "Transluscent Databases."

"Unless you got the servers in your own secure facility, and you have your own people watching them, you have this problem with cloud or with any colocations," he says.

Companies' employees can create their own channel to leak information by using unapproved services to store or communicate sensitive business data. Workers use consumer applications and cloud services on their own devices, and, in many cases, these services are indexing and analyzing the data for ad sales, but can expose it in other ways, as well. Recently, for example, IBM decided to bar a number of applications in the cloud, including Apple's Siri voice recognition service, because it feared the services will store employees' queries in the cloud.

"People are using the cloud in ways that companies and enterprises aren't thinking about," CSA's Howie says.

Free cloud services generally make their revenue by profiling users for ad services or display advertisements. A crafty attacker could find ways of profiling individual users, he says.

Companies need to educate their employees about the danger of placing business data in consumer cloud services. In addition, businesses should discuss potential data leakage with cloud providers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GR8Day
50%
50%
GR8Day,
User Rank: Apprentice
5/30/2012 | 4:22:12 PM
re: Are Your Secrets Safe In The Cloud?


Seems like many
organizations are still struggling with what method is best suited to add
additional layers of authentication for access and transaction verification
without unreasonable complexity. I've noticed many of the global Cloud providers
are moving to the use of some form of 2FA (two-factor authentication) where the
user is asked to telesign into their account by entering a one-time PIN code
which is delivered to your phone via SMS or voice. Or if you don't want to do
this every single time, some offer the option to designate your smartphone, PC,
or tablet as a trusted device and they will allow you to enter without the text
code. Should an attempt to login from an unrecognized device happen, it would
not be allowed.
-

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web