Scrubbing Data a Concern in the Digital Ocean Cloud

What happens to cloud data after a virtual machine is destroyed? One cloud vendor reassesses its policy.

Security is often cited as a top concern for any organization looking to move to the cloud, and it's a concern that is top of mind this week at cloud hosting vendor Digital Ocean.

Developer Jeffrey Paul first raised the issue of data security on Digital Ocean in a Github post earlier this week. Paul noted that Digital Ocean was not by default "scrubbing" user data from its hard drives after a virtual machine instance was deleted by a user. The scrubbing process securely removes any and all residual data that is resident on a drive. The risk of not scrubbing the drive is that another user could potentially get access to the data.

The issue only affected users of the Digital Ocean API (application programming interface) who were programmatically creating and destroying new virtual instances (referred to as "droplets" by Digital Ocean).

On Dec. 30, Digital Ocean first publicly admitted that it was at fault and should have been scrubbing its drives for API users. Digital Ocean CEO Moisey Uretsky told eWEEK that his company has now defaulted to scrubbing its hard drives for both Web and API virtual machine destroy requests.

Digital Ocean had been aware of the issue earlier in 2013 and at one point was scrubbing all of its drives after every virtual machine destroy request. However, as Digital Ocean's utilization went up, the company found that the scrubbing activity was degrading performance and decided to make it an option that API users needed to manually activate.

Uretsky told eWEEK that even though the data scrubbing has an impact, it is now a cost that his company will bear.

Digital Ocean grew very quickly in 2013, to at least 7,000 Web-facing servers in June 2013, up from only 100 in December 2012, according to Netcraft. One of the reasons for the rapid rise has been Digital Ocean's aggressive pricing, which starts at $5 for a server with 512MB of memory and a 20GB solid-state drive for a month of cloud service.

Going a step further, Uretsky said Digital Ocean has, as part of the terms of service, a privacy policy in place to not disclose any customer information to any third parties. Cloud providers leaking information to third parties, in particular the U.S. government, has been an issue, thanks to National Security Agency (NSA) whistleblower Edward Snowden, for the latter half of 2013.

With security and data integrity always a concern, Digital Ocean is now aiming to reassure its users that their data is safe.

"We are being fully transparent and, based on customer feedback, are implementing changes rapidly," Uretsky said. "All companies have encountered issues at one point or another, and we firmly believe that being open, honest and responsive to customers is the best way to rebuild trust."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.