Cloud-Services have been widely embraced for their many benefits. However, after several reported espionage attacks and data losses companies and their clients have become more aware of potential risks of storing data in the cloud. Typically, there is no overall control over data and the security of a third party has to be trusted – sometimes in another country with different laws and regulations. As a reaction to this, many cloud service providers have stepped up their efforts and implemented better control, encryption and server offers in countries closer to regional clients all of which is welcome.
Recently during a research project, it was discovered that despite all of these security measures many cloud services have a serious weak spot. This affects the virtual infrastructure on which most cloud services are run.
It was shown that it is possible to listen to secure communication that are run through the Transport Layer Security (TLS) Protocol. According to Radu Caragea, the researcher who found this vulnerability, this can be done by accessing the virtualisation tier and without anyone noticing it. He called this technique “Periscope” and says that it enables the intruders to read the encrypted communication between the end user and a virtual environment.
Service providers now have the possibility to make the allegedly secure data traffic accessible – to themselves or to any other third party. As of writing this article there is no known counter measure to this specific scenario. Whilst this vulnerability exists also in self hosted virtual systems an attack can only happen from the inside so if you control the system you reduce the risk.
What does it mean for companies?
The increasingly widespread implementation of cloud technologies in the business world is with us for good bringing with it many advantages. However, companies that are outsourcing their file storage and transfer to the cloud should consider the following questions:
- Which service provider offers the greatest security in the cloud?
- Which data should be stored in or transferred through the cloud? Ergo, which should not?
- Could those systems also be self-hosted?
With an on-site system or infrastructure-as-a-service companies still have the possibility to move it to a physical platform and thereby eliminate the weak spot. This is usually not an option when it comes to software-as-a-service (SaaS) offers. Those are most often run in virtual environments.
In the light of the newly discovered vulnerability we recommend companies to carefully consider which software and data to run in their own infrastructure before moving it all to third party clouds especially for those activities where storing sensitive data or when sending large and confidential files. This way they have the best chance to keep total control over their data and eliminate one very serious vulnerability.
With Cryptshare you can run e-mail encryption and secure file transfer easily within your own infrastructure. Click here to read more about the various Cryptshare operation modes.