Context officials tested cloud service providers Amazon Web Services, Rackspace, VSP.net and Gigenet and found that Rackspace and VSP.net had the vulnerability. Rackspace worked with Context for more than a year to update its system and said it has "fully resolved" the vulnerability and notes that it knows of no customer data being breached. "We have ensured that all data is wiped effectively whenever disk space moves from one customer to the next. And we have cleaned up all fragments of remnant data," a statement from Rackspace reads. VSP.net notified Context that it had patched its system, but provided no additional details. The company did not respond to request for comment from Network World.

VSP.net uses technology from OnApp to run its cloud platform, and officials with that company say after they were alerted of the issue by VSP.net they created a patch that cloud service providers can choose to install that will automatically zero out all disks after use by a customer. Carlos Rego, chief visionary officer for OnApp, says he has not tracked how many of the company's service provider customers have installed the add-on functionality.

"It looks to me like some providers are trading off security for performance," says Bharath Sridhar, director of cloud infrastructure and technology at Zoho, which has Platform-as-a-service and Software-as-a-service offerings. Ideally, virtual machines should not be able to access the root disks, but if that security provision is in place, it can slow the performance of the compute system because each disk has to be overwritten and zeroed out as opposed to just writing over the old data. Virtualization and cloud technologies need to mature to allow for better performance while maintain that security, and the lack of that so far points to the "growing pains" of the industry, Sridhar says.

He recommends customers have as much knowledge as possible about the complete life cycle of their data in the public cloud, the specific data retention and data management policies of their public cloud providers and what protections there are to segregate the data once it's in the cloud.