A recent report by researchers from MIT and the University of California at San Diego described how attackers could search for, locate, and attack specific targets in Amazon.com's Elastic Computing Cloud (EC2) "because of certain underlying vulnerabilities in the infrastructure."
Amazon.com is, of course, downplaying the information in the report, yet it is also talking about how it will address this and other vulnerabilities. What's getting me is the fact that Amazon.com is not congratulating and thanking the University of California for in essence providing free vulnerability testing, but instead is starting the spin machines. Amazon.com characterized the attack described in the report as "hypothetical" and something that would be "significantly more difficult in practice." It's been my experience that if a vulnerability is there, it'll eventually be exploited.
[ Get the no-nonsense explanations and advice you need to take real advantage of cloud computing in the InfoWorld editors' 21-page Cloud Computing Deep Dive PDF special report, featuring an exclusive excerpt from David Linthicum's new book on cloud architecture. | Stay up on the cloud with InfoWorld's Cloud Computing Report newsletter. ]
The research paper itself described how potential attackers could use "side-channel" attacks to try and try and steal information from a target virtual machine. The researchers had argued that a VM sitting on the same physical server as a target VM could monitor shared resources on the server to make highly educated inferences about the target VM.
It should be noted that the testing was carried out on a separate platform, and the researchers did not actually use the Amazon.com EC2 infrastructure. Therefore, I consider this report of vulnerability conceptual at this point.
The larger issue here is the fact that organizations that spend time trying to test the emerging cloud providers for vulnerabilities, such as the ones described in the report, are doing everyone a favor. Thus, were I Amazon.com, I would be less defensive and more thankful. However, its concern perhaps is more about short-term revenue growth, which these types of reports could hinder, than technological strengthening.
I suspect that testing companies are already ramping up to put cloud computing providers through their paces, either for government and commercial clients -- even the cloud computing providers themselves may be doing such testing. That's good: The more you test, the more you learn, and that's the only way we're going to get cloud computing to a trustworthy state.
But as the MIT-UCSD report and Amazon.com's response to it show, we're clearly not all the way there yet.