Hacker News new | past | comments | ask | show | jobs | submit login
Mitigating Cloud Vulnerabilities [pdf] (defense.gov)
46 points by LVB 35 days ago | hide | past | web | favorite | 7 comments



This is something I was trying to research at one point:

> While there have been no reported isolation compromises in any major cloud platform,

What about minor cloud platforms? I'm would be surprised if there hasn't been real cases of e.g. the horror scenario where data gets silently exposed via uninitialized/unencrypted disk volumes that were not correctly wiped by the CSP before re-use by a different customer.

I've seen it happening on-premises with e.g. Ganeti, which does not wipe instance disks by default. In that case it was obvious because the OS installer would complain about pre-existing LVM volume groups on the disks. It does offer an option to spend an hour wiping new disks when provisioning them...


Digital Ocean used to hand out SSDs without scrubbing them.

https://github.com/fog/fog/issues/2525


HPE cloud has been mentioned, among others:

A report a few days ago revealed that hackers linked with China’s government were stealing data from more than a dozen global telecom companies for years.

According to Reuters, eight of the world’s biggest technology service providers were hacked by APT10 spies, with attacks going as far back as to 2010 in some instances. Dubbed as “Cloud Hopper,” the campaign affected Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology.

https://bgr.com/2019/06/27/china-vs-usa-massive-apt10-cloud-...


Also, but the major cloud hosters proably wouldn't report compromises.


"Containerization is less secure of an isolation technology than virtualization because of its shared kernel characteristics"

"Containerization, while being an attractive technology for performance and portability, should be carefully considered before deployment in a multi-tenant environment."


"Containerization, while being an attractive technology for performance and portability, should be carefully considered before deployment in a multi-tenant[, shared] environment [in which the physical hardware is shared among many users]." -- I'd say that's more accurate.


There are also security oriented container runtimes where this doesn't seem to apply (eg gVisor).




Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: