3 Things You Really Should Know about Other People’s Cloud VMs

Image Attribution: Flickr

The joys of using a virtual machine in the cloud are similar to those of living in an apartment. A condo (virtual machine) costs less than a house (your own server), and somebody else takes care of the apartment block (cloud server) as a whole and mowing the lawn. On the other hand apartment block drawbacks can include noisy neighbors, careless tenants, and burglars sneaking into the building to break into apartments from the inside. It turns out that multi-tenancies in cloud computing and physical accommodation have a lot in common.
The Noisy Neighbor Effect among VMs
Virtual machines each take a part of the overall resources available. They may be activated or deactivated at any time, consuming or releasing resources accordingly. This means potential and unforeseeable performance degradation for the other virtual machines. Processing power, main memory and disk input and output may all be affected. ‘Cache pollution’ may occur, in which one virtual machine loads data into a CPU cache unnecessarily, which can lead to the data of another virtual machine being kicked out, or rather, down to lower-level memory with reduced performance.
The Careless Tenant
Users who are lax on security may fall prey to account hijackers who then gain control of a user’s account and any associated VMs. If the resources (server, database or other) you are sharing with such users are fully secured, this situation may not have an impact on you. The hijacker should not be able to start tampering with or stealing other users’ data, including yours. The problem comes if you are both using the same multi-tenant database and the cloud provider has security problems. Kind of like the janitor leaving the back door to the apartment block permanently wedged open. In this case, a hijacker could possibly accomplish further data breaches with SQL injection attacks for example to penetrate the cloud server further and gain information on other users and their account credentials.
The Thief Next Door
By installing a VM next to yours on the same physical server, a cyber-thief could get into your VM too. The process is called side channel analysis. It is a complex undertaking and involves a hacker working to recover system cache data or electromagnetic imprints in the server of your use of the resources. With enough data, the hacker can begin to piece together information to start attacking your account and VMs. As a potential threat, side channel analysis has been discussed for some time. Experiments have shown that it is indeed possible to move from theory to practice. A team of scientists showed recently that it could crack the code to access another VM. The team installed its own VM on the same machine and took it in turns with the target VM to access the processor and system cache. After the target VM used the resources, the hacking VM went in to copy the cache contents where fragments of account credentials and encryption keys could be recovered each time.
By picking a competent and conscientious cloud computing provider, you have a greater chance of avoiding all these phenomena. The provider should put safeguards in place to prevent such situations and make the virtual neighborhood safe for you and all your VMs.