I woke up this morning not feeling the greatest. It is hard to know if it is the up and down of the thermometer here in Ontario lately or the petri dish that every modern office has become but once again I am back on Anti-biotics and feeling like my head is in a fish bowl. But when I started looking around the Interwebz for something that caught my eye I noticed an obscure little article about a Cloud SNAFU with a moderately sized Cloud Service Provider DigitalOcean.
In the article over at Wired.com it sites that the low cost alternative to Amazon and Rackspace has not been completely wiping the data of its former customers before reprovisioning the space for new customers. One of DigitalOcean’s customers Kenneth White stumbled across several Gigabytes of data that was not his when “noodling” around with the service. It is bad enough finding email addresses and web links but when you start to get Usernames and Passwords…well that is just not a good thing at all.
Under normal circumstances this is exactly the type of company that would intrigue me. They are leveraging the Ubuntu enabled Elastic Cloud and giving their customers an SSD that ranges from 20GB all the way up to 960GB and multicore processing power. Prices range from $5 per month up to $960 per month which by all accounts is really quite affordable.
The statement from CEO of DigitalOcean Ben Utresky:
The code that wipes the data — that securely deletes the data — was not being activated under the new SSD storage plans
That is cold comfort in this day and age and even though a fix is underway, I fail to understand why a simple format of the partition or drive was not done as part of the decommissioning of a service when a customer decides to leave and before that drive space is reassigned to a new customer!
In 2013, one would think that in the world of Cloud Computing the putting together a simple string of code to wipe a drive would not be that hard to have as part of the practice! Heck…I do it every time I remove a Virtual Drive that I spin up for my OS Sunday and I am the only one using the drive space!!!
In an official statement from the company though, the issue is corrected…but what if this item that should have been standard practice was not being done…what else was and is being missed? In the Terms of Service for DigitalOcean I found this line most interesting:
USER ACKNOWLEDGES THAT THE FEES PAID BY HIM OR HER REFLECT THE ALLOCATION OF RISK SET FORTH IN THIS AGREEMENT AND THAT DigitalOcean WOULD NOT ENTER INTO THIS AGREEMENT WITHOUT THESE LIMITATIONS.
Oh you Cloud Providers…funny how you think that people never read the TOS…well ok most people don’t but still I have to say…Cloud Risk is something that every company should really look at…I am glad I decided to create a Private Cloud for me and my family that can be accessed across the Interwebz…this way if the worst happens…well I can only look to getting my money back from…ME???
Chris J Powell