A photo showing apartments in Nizhny Novgorod, Russia.
Photo: Pavel Neznanov/Unsplash

More tenants, more vulnerabilities

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: new findings suggest running software designed for data centers on the cloud might be introducing security vulnerabilities, the state of the server chip market, and stop us if you’ve heard this one: Google Cloud is killing a service.

Not an isolated issue

A few months back, I wrote about the discovery of a series of major vulnerabilities in Microsoft Azure by security researchers, suggesting that tenant isolation in the public cloud — which ensures that each organization's data is cordoned off from everyone else's — may be more in question than we thought.

Now some of those same researchers are saying the issue is not just about Azure.

  • The research team at cloud security vendor Wiz last week released new findings showing that the popular PostgreSQL database — previously shown to have a cross-tenant vulnerability in Azure — has also been found to have tenant-isolation issues in Google Cloud.
  • Wiz head of research Shir Tamari told me that his team demonstrated the ability to gain access to the control plane for Google Cloud's managed PostgreSQL service, which is used to manage customer environments behind the scenes.
  • Because of the architecture of the cloud, an exploit of a tenant isolation vulnerability would be especially dangerous, since it could potentially let an attacker access hundreds or thousands of end customer environments, experts say.

The Wiz researchers were not actually able to show the ability to break into customers' tenants, however, making it far less severe than the vulnerability that the team found previously in Azure's PostgreSQL service, Tamari said.

  • The Open Cloud Vulnerability & Security Issue Database, which Wiz sponsors, has assigned a "medium" severity rating to the issue, compared to the "critical" rating for the previous Azure vulnerability.
  • Google Cloud took the issue seriously and it's now fixed, Tamari said.
  • In a statement to Protocol, Google Cloud said that "Cloud SQL customers are being automatically updated, and no action is required."
  • Additionally, Google said its security teams "have found no evidence of abuse due to the investments that GCP and Cloud SQL have made in infrastructure security and tenant isolation."

Still, what the findings ultimately show is that "there is a big problem across multiple cloud providers on Postgres — and, we believe, even more than just Postgres," Wiz co-founder and CTO Ami Luttwak told me.

  • The underlying issue is that open-source database projects like PostgreSQL date back decades and weren't designed for multitenant scenarios, Luttwak said.
  • As a consequence, the major cloud platforms are inadvertently introducing vulnerabilities in their modifications to PostgreSQL, he told me. "When you take an open-source database and you make it multi-tenant, it creates risk."
  • The bottom line is that while businesses shouldn't feel the need to steer clear of PostgreSQL or other database services in the cloud, Luttwak said, they should be asking their cloud providers for more details about how tenant isolation is being handled.

— Kyle Alspach (email | twitter)

Sponsored content from Cisco

How cybercrime is going small time: Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide.

Read more from Cisco

RIP good times

The chip industry is in for a rough few months. After a decidedly mixed earnings season, the signs are growing that the good times are coming very quickly to an end. For this boom-and-bust business, it was only a matter of time.

So, let’s just rip off the Band-Aid: The second quarter saw the largest year-on-year decline in overall CPU shipments in the 28 years Mercury Research has been collecting its data.

In his commentary, Mercury president Dean McCarron noted that the precipitous drop in demand was the result of growing concerns about the economy causing equipment vendors to pull back on their inventory, which in turn hurt CPU sales.

The server market may be weakening, but AMD continued to pick up some steam at Intel’s expense. This was partly reflected in the dismal earnings report from Intel and positive commentary from its smaller rival. AMD has gained share for 13 consecutive quarters, setting a new record for AMD.

The current server chip market share standings: AMD with 13.9% share to Intel’s 86.1%.

McCarron pointed out in his commentary that even though he doesn’t have data before 1994, he estimated that it’s probably the largest decline since a decade earlier than that. At that point, the PC market was tiny, but experienced its first major downturn.

— Max A. Cherney (email | twitter)

Around the enterprise

Google Cloud IoT Core is headed for the cloud computing junkyard, more than a year after it rolled out its Google Enterprise APIs policy designed to shed its “killed by Google” reputation.

As noted last month on Protocol, chip experts believe SMIC’s recent 7-nanometer manufacturing “breakthrough”will require a lot of work to improve yields and print chips at scale before it poses a serious competitive threat to the rest of the industry.

Sponsored content from Cisco

How cybercrime is going small time: People have been swindled since before man created monetary systems. These aren’t new crimes; just new ways to commit them. But as cybercrime increasingly goes small-time, those on the front lines will need new and more effective ways to fight it.

Read more from Cisco

Thanks for reading — see you tomorrow!

Recent Issues