Are Your Secrets Safe In The Cloud?With so much data being hosted in the cloud, companies need to look at side-channel attacks to make sure they know who has access to their data and how to keep it secret
Companies worried about the security of their data in the cloud have generally taken the obvious steps to protect their most valuable information, including encrypting sensitive data and using strong authentication to prevent access.
Yet there are a number of less obvious ways of leaking information, and ongoing research has shown that customers of cloud services -- even cloud security services -- need to worry about their data. For example, identity and access management systems may lock down a user's password and credentials, but miss the fact that the resource accessed and the frequency with which its accessed is valuable information. In other cases, API calls to a service can carry information about which features a company is accessing as well as other details.
These so-called "side-channel attacks" in Web services are not new, but with the popularity of cloud services, they are becoming more serious, says Carl Herberger, vice president of security solutions for cloud-application security provider Radware.
"The number of information [channels] out there is going to increase dramatically, so I expect the situation to get worse," he says.
Side-channel attacks analyze traffic patterns and control signals to gain information about communications content. In 2010, a research paper by Indiana University at Bloomington and Microsoft Research found that such attacks can glean a significant amount of information about a user's actions on software-as-a-service offerings. The paper found that popular online applications and services leak a significant amount of information, such as sensitive medical conditions in a healthcare service and income information in a tax preparation service.
[ Careless -- and occasionally malicious -- Web-browsing users might be the most serious threat to your organization's data. Here are some tips for keeping it safe. See How To Keep Your Users -- And Your Data -- Safe On The Web. ]
Other research efforts highlight similar danger. In 2009, computer scientists from the University of California at San Diego and MIT found that attackers could exploit the virtualized infrastructure of compute clouds to instantiate virtual machines that could then attempt to gather information on other customers' VMs on the same physical server. A 2010 paper by researchers at IBM and Bar Ilan University found that storage clouds that used deduplication across customers' data could leak information about the file names and content to others.
Many of these issues are endemic to multitenanted cloud services, or the fact that third-party cloud providers add another channel through which attackers or investigators can get access to a company's data. Just by placing its data in the cloud, a company potentially opens up the information to access by law enforcement or civil court orders without being notified.
Many cloud providers have stated that they will support their customers' rights to decide what happens with the data, but they are bound to follow the law, says John Howie, chief operation officer with the Cloud Security Alliance.
"Every cloud provider has pretty much said, 'If we get a court order, a subpoena, or any other legal vehicle which will allow access to data which we can disclose, we will refer to the government or the court to the owner of that data,'" he says.
Yet unless a company controls its data in its own data center, it's hard to secure it, say Peter Wayner, a consultant and author of "Transluscent Databases."
"Unless you got the servers in your own secure facility, and you have your own people watching them, you have this problem with cloud or with any colocations," he says.
Companies' employees can create their own channel to leak information by using unapproved services to store or communicate sensitive business data. Workers use consumer applications and cloud services on their own devices, and, in many cases, these services are indexing and analyzing the data for ad sales, but can expose it in other ways, as well. Recently, for example, IBM decided to bar a number of applications in the cloud, including Apple's Siri voice recognition service, because it feared the services will store employees' queries in the cloud.
"People are using the cloud in ways that companies and enterprises aren't thinking about," CSA's Howie says.
Free cloud services generally make their revenue by profiling users for ad services or display advertisements. A crafty attacker could find ways of profiling individual users, he says.
Companies need to educate their employees about the danger of placing business data in consumer cloud services. In addition, businesses should discuss potential data leakage with cloud providers.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.