Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2012
05:46 PM
50%
50%

Are Your Secrets Safe In The Cloud?

With so much data being hosted in the cloud, companies need to look at side-channel attacks to make sure they know who has access to their data and how to keep it secret

Companies worried about the security of their data in the cloud have generally taken the obvious steps to protect their most valuable information, including encrypting sensitive data and using strong authentication to prevent access.

Yet there are a number of less obvious ways of leaking information, and ongoing research has shown that customers of cloud services -- even cloud security services -- need to worry about their data. For example, identity and access management systems may lock down a user's password and credentials, but miss the fact that the resource accessed and the frequency with which its accessed is valuable information. In other cases, API calls to a service can carry information about which features a company is accessing as well as other details.

These so-called "side-channel attacks" in Web services are not new, but with the popularity of cloud services, they are becoming more serious, says Carl Herberger, vice president of security solutions for cloud-application security provider Radware.

"The number of information [channels] out there is going to increase dramatically, so I expect the situation to get worse," he says.

Side-channel attacks analyze traffic patterns and control signals to gain information about communications content. In 2010, a research paper by Indiana University at Bloomington and Microsoft Research found that such attacks can glean a significant amount of information about a user's actions on software-as-a-service offerings. The paper found that popular online applications and services leak a significant amount of information, such as sensitive medical conditions in a healthcare service and income information in a tax preparation service.

[ Careless -- and occasionally malicious -- Web-browsing users might be the most serious threat to your organization's data. Here are some tips for keeping it safe. See How To Keep Your Users -- And Your Data -- Safe On The Web. ]

Other research efforts highlight similar danger. In 2009, computer scientists from the University of California at San Diego and MIT found that attackers could exploit the virtualized infrastructure of compute clouds to instantiate virtual machines that could then attempt to gather information on other customers' VMs on the same physical server. A 2010 paper by researchers at IBM and Bar Ilan University found that storage clouds that used deduplication across customers' data could leak information about the file names and content to others.

Many of these issues are endemic to multitenanted cloud services, or the fact that third-party cloud providers add another channel through which attackers or investigators can get access to a company's data. Just by placing its data in the cloud, a company potentially opens up the information to access by law enforcement or civil court orders without being notified.

Many cloud providers have stated that they will support their customers' rights to decide what happens with the data, but they are bound to follow the law, says John Howie, chief operation officer with the Cloud Security Alliance.

"Every cloud provider has pretty much said, 'If we get a court order, a subpoena, or any other legal vehicle which will allow access to data which we can disclose, we will refer to the government or the court to the owner of that data,'" he says.

Yet unless a company controls its data in its own data center, it's hard to secure it, say Peter Wayner, a consultant and author of "Transluscent Databases."

"Unless you got the servers in your own secure facility, and you have your own people watching them, you have this problem with cloud or with any colocations," he says.

Companies' employees can create their own channel to leak information by using unapproved services to store or communicate sensitive business data. Workers use consumer applications and cloud services on their own devices, and, in many cases, these services are indexing and analyzing the data for ad sales, but can expose it in other ways, as well. Recently, for example, IBM decided to bar a number of applications in the cloud, including Apple's Siri voice recognition service, because it feared the services will store employees' queries in the cloud.

"People are using the cloud in ways that companies and enterprises aren't thinking about," CSA's Howie says.

Free cloud services generally make their revenue by profiling users for ad services or display advertisements. A crafty attacker could find ways of profiling individual users, he says.

Companies need to educate their employees about the danger of placing business data in consumer cloud services. In addition, businesses should discuss potential data leakage with cloud providers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GR8Day
50%
50%
GR8Day,
User Rank: Apprentice
5/30/2012 | 4:22:12 PM
re: Are Your Secrets Safe In The Cloud?


Seems like many
organizations are still struggling with what method is best suited to add
additional layers of authentication for access and transaction verification
without unreasonable complexity. I've noticed many of the global Cloud providers
are moving to the use of some form of 2FA (two-factor authentication) where the
user is asked to telesign into their account by entering a one-time PIN code
which is delivered to your phone via SMS or voice. Or if you don't want to do
this every single time, some offer the option to designate your smartphone, PC,
or tablet as a trusted device and they will allow you to enter without the text
code. Should an attempt to login from an unrecognized device happen, it would
not be allowed.
-

Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.