Amazon Downplays Report Highlighting Vulnerabilities in Its Cloud Service

Amazon today said that it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego.

By Jaikumar Vijayan

Wed, October 28, 2009Computerworld Amazon said today that it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego.

Cloud Security: Danger (and Opportunity) Ahead
Cloud Computing Definitions and Solutions

The report described how attackers could search for, locate and attack specific targets in Amazon's Elastic Computer Cloud (EC2) because of certain underlying vulnerabilities in the infrastructure.

Though the attack described in the report was conducted against Amazons infrastructure, the researchers concluded that similar targeted attacks could be carried out in other cloud services as well because the vulnerabilities were generic.

In response, Amazon spokeswoman Kay Kinton said today that the report describes cloud cartography methods that could increase at attacker's probability of launching a rogue virtual machine (VM) on the same physical server as another specific target VM.

What remains unclear, however, is how exactly attackers would be able to use that presence on the same physical server to then attack the target VM, Kinton told Computerworld via e-mail.

The research paper itself described how potential attackers could use so-called "side-channel" attacks to try and try and steal information from a target VM. The researchers had argued that a VM sitting on the same physical server as a target VM, could monitor shared resources on the server to make highly educated inferences about the target VM.

By monitoring CPU and memory cache utilization on the shared server, an attacker could determine periods of high-activity on the target servers, estimate high-traffic rates and even launch keystroke timing attacks to gather passwords and other data from the target server, the researchers had noted.

Such side-channel attacks have proved highly successful in non-cloud contexts, so there's no reason why they shouldn't work in a cloud environment, the researchers postulated.

However, Kinton characterized the attack described in the report as "hypothetical," and one that would be "significantly more difficult in practice."

"The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment," Kinton said.

"As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice," she said.

At the same time, Amazon takes all reports of vulnerabilities in its cloud infrastructure very seriously, she said. The company will continue to investigate potential exploits thoroughly and continue to develop features bolster security for users of its cloud service, she said.
Loading...
Cloud Computing MarketSpace
Solving On-premise Email Challenges
This white paper presents ten on-premise challenges and their on-demand services solutions. Learn more »
A Comparative Cost Analysis of Email Environments
This Forrester report will help you evaluate the full cost of your email environment and it will explore the benefits of cloud-based technologies. Learn more »
An Infrastructure and Operations Analysis
This Forrester Report review three basic architectures to consider as you evaluate taking your email into the cloud. Learn more »
The Benefits of Two Factor Authentication
Get recommendations on evaluating, cost-justifying, and implementing two factor authentication. Learn more »
The Argument for In-the-Cloud Authentication
The advantages of cloud-based, two-factor authentication continue to gain favor. Learn more »
Cloud-Based Authentication for Next-Generation Extranets
This paper makes the case for implementing greater security for the new social media enabled extranets. Learn more »
Download Forrester Research on Google
Download the independent research report comparing the costs of email from Google and other providers. Learn more »
Cloud Computing: What are its payoffs and pitfalls?
Cloud computing frees up budgets hand-cuffed by IT expenses. Learn more »
 
SPONSORED LINKS
 

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Cloud-Based Authentication for Next-Generation Extranets

Cloud Computing--What is its Potential Value for Your Company?

Should Your Email Live In The Cloud? A Comparative Cost Analysis

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

White Paper: 4 Customer Service Myths

White Paper: Managed Security for a Not-So-Secure World

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

Seven Design Requirements for Web 2.0 Threat Protection

Increase UPS efficiency without sacrificing protection.

Learn how advanced forecasting tools can deliver significant business results for global corporations.

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Return on Information: Google Enterprise Search pays you back. Get the facts.

VMware. The source for Business Infrastructure Virtualization.

ShoreTel tells businesses to untangle from competitors' complexity and turn to its brilliantly simple UC solution

Top Five CIO Challenges

Read the RSA report: Security for Business Innovation

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

Cloud Computing--Latest Buzzword or a Glimpse of the Future?

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

Webcast: Unleashing the Power of Customer Data

White Paper: Improve Agility with Operational Responsiveness

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

White Paper: Next Generation Remote Infrastructure Management

Keeping Your Members Safe from Online Scams and Predators

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Cloud-Based Email Management: Opinion Shifts In Favor

eBook: How Can You Make Your People Productive Anywhere?

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

AT&T Synaptic Storage as a Service. Expand on demand

Trend Micro ranked #1 against real-world malware. Read more.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

Streamline IT Costs. Boost Performance with WAN Optimization.

Build your 1st app FREE with Force.com

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords