Adopt better public cloud admin habits

More companies and end-users are signing up for public cloud services, particularly infrastructure-as-a-service, as a quick and cost-efficient way to acquire additional computing power for specific tasks. As adoption grows, though, these users need to adopt better habits to prevent possible malware, data breaches and leaks, observers urge.

In a recent test, French researchers from technology institute, Eurecom, Northeastern University and security vendor, SecludIT, ran automated scanning tools to detect security vulnerabilities and malware on over 5,000 virtual machine (VM) images published on Amazon Web Services' (AWS) catalog of VMs, set up with preset configurations to run on the cloud provider's EC2 service.

Results showed that 22 percent of the VMs allowed the person who set up the machine--either by AWS or third-party companies such as Turnkey and Jumpbox--to access content stored on the machine, the researchers stated. Additionally, 98 percent of these Amazon Machine Images (AMIs) contained data the company or individual that set up the machine had intended to delete, but could still be extracted from the VM.

"If the guy who set up the machine forgot to erase his credentials or left them there on purpose, everyone who has the credential can log into the server," Marco Balduzzi, one of the Eurecom researchers, told Forbes in a Nov. 8 report.

The researchers, who said they would publish their findings officially in March next year, added that such scenarios were also possible with other cloud providers such as Joyent, IBM, Rackspace and Terremark.

Commenting on these findings, Steve Hodgkinson, Ovum's Asia-Pacific research director of IT, said many of the AMIs currently available are provided free of charge on a "user beware" basis.

As such, it is up to the users to protect their safety by either using trusted AMIs or testing and sanitizing the AMI prior to, and after use, he added.

Hodgkinson also pointed out that with the ease of signing up for such public cloud services, more end-users are bypassing their IT departments to acquire these services on their own. This means information put on these virtual machines are not managed by the IT team, adding to the possible data security risks, he noted in his e-mail.

A spokesperson for AWS acknowledged the validity of the vulnerability highlighted by the French researchers, saying that the hole is introduced when customers publish AMIs before taking appropriate precautions to remove private information.

She also pointed to a security blog post by the cloud provider in June this year which stated it received no reports that such vulnerabilities had been actively exploited.

In cases where AWS is made aware of a public AMI that contains a SecureShell (SSH) key, which allows the publisher to remotely access any running instance of the AMI, AWS will contact the publisher and request that the AMI be made private, the blog post stated. If the publisher is not contactable, AWS will make the AMI private on their behalf, it added.

Cloud vendor, Rackspace, declined to comment for the article.

Adhere to best practices
In order to address the vulnerabilities highlighted in the study, Hodgkinson recommended IT departments, particularly organizations in the financial and public sectors, exert control over "stealth cloud adoption" by end-users and bring these services under normal IT governance arrangements.

Other best practices include establishing well tested and trusted procedures for using public cloud services and establishing governance arrangements to ensure standard practices are followed, with authorization and monitoring arrangements in place, he added.

Victor Keong, partner and practice leader for information protection and business resilience for Asia-Pacific at KPMG Advisory, added that companies should assess the different cloud service providers according to the type of data security and privacy measures they adhere to.

Companies should also regularly monitor and audit their service providers to determine if the security policies and required service levels are being met, he told ZDNet Asia in his e-mail.

An additional step would be to develop or maintain a standard template of contractual safeguards in the event of data breaches, Keong noted. For instance, contractual terms should cover "privacy policies, communication and training, privacy management and compliance and choice and consent toward data portability", he said.