How your data gets compromised in an IaaS cloud: Vendor tells all

This is a big issue in certain verticals. In my early research for AR I looked into the interaction of HIPAA (an American privacy law for medical information) and cloud hosting. My brief educated layperson's conclusion: sensible default settings at your cloud service of choice almist certainly lead you to be OMGWTF noncompliant. I immediately moved medical providers out of scope, because it looked like there were, minimally, several months of engineer time needed to merit a finding of compliance, plus whatever costs/effort it would take to deal with the lawyers.

I don't understand why a zero wipe isn't sufficient when provisioning the storage. At least for this purpose it would seem to achieve the same result as encryption with much less complexity and no ongoing overhead. AWS takes a long time to provision new EBS storage, does anyone know what's going on there?

FWIW, non-block storage services (like Rackspace Cloud Files and S3) should not be vulnerable to these info leaks. I cannot speak to the S3 backend, but this sort of attack would not be possible with Cloud Files. Of course, the use case is a little different when you don't have access to a block-level device.

Do you guys know what the situation is with GoGrid? I've been using them for about 6 months now but I've not been using encryption. Am I exposed to data leakage in the way you outline in your blog post?