Securely wiping dirty disks

Recently, some security researchers identified a security vulnerability with some cloud services (in particular VPS.net and Rackspace Cloud) that caused customers’ data to be leaked.

Secure virtual disk deletion is something we wrote about back in 2007 and Brightbox Cloud had this feature as part of the very first design specification, over two years ago. So, I thought I’d go through some of the options we considered and what we finally decided.

Design

To maximise performance (and minimise complexity!) we use full disk allocation so that each server is allocated a contiguous section of disk using LVM. This also means we avoid a lot of very subtle data security problems associated with file-backed disks that make secure wiping extremely difficult (such as customer data being written to host file system journals).

This still leaves the problem of preventing a newly built server from reading data from previously deleted servers.

We originally considered using a copy-on-write system that would return zeroes when reading sections of disk that had not yet been written (as Amazon EC2 does) but this design has a few downsides. In particular, it affects write performance because the first write to each block requires a copy-on-write bitmask update to be synchronously written to disk.

It would also mean that customers’ data would still actually be on disk after they destroyed their server, which we didn’t like. If you destroy a server, you should be confident that the data was destroyed too - it shouldn’t still be stored anywhere, no matter what assurances are given about the access security.

Instead, we opted for fully wiping the disks when a server is destroyed. We implemented QoS-style limits on our disk wipes, so they don’t interfere with active servers on the same host. The disk wiping is very low priority and only runs when the host has IOPs to spare. This is why destroying a server takes a little time to complete - we only confirm that it’s been destroyed when the disk wipe finishes successfully.

Physical disk failure

If a physical disk fails, our policy is to never send it back to the manufacturer without being wiped. Disks often fail in such a way that reading existing data from them is easy, even though they’re not usable in production. Sending these back to the original manufacturer means we would be sending out fragments of customer data to an untrusted third party.

So, the disks we’re able to wipe are returned, or retained for use in staging systems. Disks that do not respond are physically destroyed.

I hope this small glimpse of the steps we take to safeguard our customers’ data shows that we take it seriously and this level of data security is at the heart of the Brightbox Cloud architecture.

posted 27 Apr 2012 by John Leach

New - Cloud IP Port Translation

If you’ve been looking for a good solution for hosting multiple SSL/TLS sites on the same Cloud Server, then look no further! Our new Port Translation feature for Cloud IPs solves that problem (and more).

Our Cloud Servers currently have a single network interface with a single private IPv4 address (and a nice fat IPv6 allocation of course, but most people aren’t ready to go IPv6-only just yet :). You can map multiple Cloud IPs to the same Cloud Server, but the server cannot differentiate between connections made to different Cloud IPs.

So, if you map multiple Cloud IPs to the same Cloud Server (or Load Balancer) expecting to be able to host multiple HTTPS services (with different certificates) you hit a bit of a problem. You’d hit the same problem with most mappable IP systems, such as EC2’s Elastic IPs.

You could use SSL’s “new” Server Name Indication feature to work around this, but it is still not supported in all browsers (in particular, no version of Internet Explorer on Windows XP supports it).

This is where our new Port Translation feature comes in. It allows you to change the destination port of incoming connections to a particular Cloud IP. So you can map several Cloud IPs to the same server, but the HTTPS port on each IP is mapped to a different port on the server, allowing you to serve different SSL certificates! You just configure your web server to listen on a different port for each virtual host.

This feature obviously isn’t just limited to HTTPS - it can translate any tcp or udp port, so you could serve several SMTP or DNS services for example.

As usual, we’ve written a step-by-step guide on using Port Translation on our docs site, and there is a reference page for more details.

We’ve got more neat Cloud IP features up our sleeves, so keep an eye out for more announcements coming soon.

posted 18 Apr 2012 by John Leach