On June 21, the US FBI seized several racks of computing equipment at a hosting provider. The hosting provider was leasing blades to a company, DigitalOne, who are based in Switzerland.
According to the New York Times, one of DigitalOne’s customers (information about which one has not been released) were allegedly involved in some form of cybercrime. The raid was part of an FBI operation targeting a form of malware, according to their press release.
Instapaper, an online service that allows you to save webpages for later reading on other devices, was also a DigitalOne customer, and a server used to host part of the Instapaper service was included in the equipment taken by the FBI. Information about Instapaper customers, including names and email addresses, was on the server that was taken.
A New Risk
This incident highlights a risk of cloud computing that is not present with self-hosted IT infrastructure.
If the company next door to yours is (allegedly) involved in some form of cyber-crime, a government agency or police force may, via legal processes, confiscate their IT equipment as evidence. But they will not take yours.
It is virtually impossible for them to accidentally take your customer database server when physically serving a warrant on premises located in a different building.
This is not so in the world of cloud.
DR by Association
Having your servers taken because another customer of your cloud provider is accused of a crime is not something many organisations would think to protect against. Yet the way to protect against this risk is much the same as other causes of a similar outcome: loss of a server.
A loss could be caused by fault, damage, or theft. To the list of possible agents of this loss we must now add law enforcement, but the result is the same. You must have a disaster recovery strategy that can deal with physical equipment loss. You must also have an information security strategy that can deal with its removal.
Virtualisation is growing, and more and more customer eggs are being placed in the same virtual basket. What if the egg next to yours is rotten?
Right now, it appears that the entire basket will be taken as evidence.
Physical Evidence in a Virtual World
No doubt law enforcement will be forced to adapt to the new world of cloud, but, as with most changes to the law, expect these adaptations to proceed slowly.
How do you preserve evidence when virtual machines could be running anywhere on a bank of 12 racks of blades? Across multiple data-centres? If physical confiscation is the approach taken by law enforcement, what does that mean for systems design?
Designing to provide uptime by avoiding single points of physical failure means more equipment will need to be physically confiscated. How secure is your multi-tenancy if the entire VM cluster is physically taken? How do you isolate the good eggs from the bad?
We shall see more of these cases before we see fewer, and it could be your servers that are confiscated next.
How ready are you to deal with the mistakes of others?