Academics have figured out a way to find particular applications running within cloud providers’ networks and to threaten their security.
Researchers at the University of California at San Diego and at M.I.T. say they can buy cloud services from Amazon and place a virtual machine on the same physical machine as a target application.
Once there, they can use their virtual machine’s access to the shared resources of the physical machine to steal data such as passwords.
The technique is experimental and doesn’t work all the time, but it indicates that service providers’ clouds are susceptible to new types of attacks not seen before, the researchers say. And while they attacked inside Amazon’s EC2 cloud, they say their method would work equally well with other cloud providers.
The researchers say that one way around the weakness they found is for customers to insist that their virtual machines are placed on physical machines that only they can access or that they and trusted third parties can access. This solution will likely be at a price premium because part of the economy of cloud services is maximizing use of physical servers by efficiently loading them up with virtual machines.
This doesn’t mean that cloud services are unsafe and shouldn’t be used. But the work by the researchers highlights that clouds and the virtual environments they employ are relatively new. As a result they still draw the attention of attackers bent on finding and exploiting unexplored vulnerabilities.
The bottom line here is that businesses should treat clouds with a certain amount of suspicion. They should assess the risk the cloud service represents and only commit data to such services when can tolerate that risk.