The issue, Jordan says, was with the way the providers provisioned new virtual servers and how they allocated new storage space. On the front end, when clients create new virtual servers, they use the provider's website to select the operating system and amount of storage they require.
On the backend, the provider gathers disk space to contain the virtual image and then overwrites the start of the disk with a preconfigured OS image.
"This means that only the start of the disk is filled with initialized data, as the rest of the disk would never be explicitly written to during provisioning," Jordan and Forshaw wrote. "If this allocation was being performed using the hosting operating system's file APIs, this would not normally be a problem. The OS would ensure that any uninitialized data was automatically zeroed before being returned to a user application (or in this case the virtual machine). Clearly in this case it was not using these mechanisms."
Jordan notes that because the problem lies with the method of configuring hypervisors, it could potentially affect managed hosting providers as well as cloud service providers.
Both providers that exhibited the vulnerabilityRackspace and VPS.nethave since reported that they have patched the vulnerability. Rackspace reportedly worked closely with Context to address the issue, inviting Context researchers to its headquarters and providing access to its engineers, executives and processes. VPS.net uses technology from OnApp, also used by at least 250 other cloud service providers. VPS.net told Context that it rolled out a patch that fixed the issue.
Jordan notes that this issue should not stop companies from using IaaS if there's a strong business need for it. But he does recommend that customers follow best practices when leveraging the cloud.
"If you are a new customer, you have options," he says. "You can ensure your data is encrypted when it's on the hard disk. That way if someone does get access to a portion of a disk, they'll only see encrypted data."
Jordan also recommends asking your provider lots of questions about their processes, including how hypervisors are provisioned and deprovisioned. Additionally, he notes that it is the client's responsibility to harden virtual servers provided by the service provider, and that includes checking out any backdoors providers use to manage the server.
Thor Olavsrud covers IT Security, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org
Read more about cloud computing in CIO's Cloud Computing Drilldown.