A major household IT outsourcer had a vulnerable configuration that could have allowed attackers to access co-location client systems.
The vulnerability was present in its service management tools and was discovered in recent penetration tests.
BAE Systems Detica strategy group director David Owen could not reveal the name of the affected organisation but said the vulnerability was common to several mainstream outsource providers.
"We found that customers could bust into other clients," he said. "The problem for customers is when they move from pure dedicated hosting to [colocation] and there is poor separation between clients."
The discovery was just one of many similar vulnerabilities found in cloud environments. Flaws could also be introduced by insecure users, as a team at the Center for Advanced Security Research Darmstadt discovered when they accessed critical data including passwords and cryptographic keys over Amazon Web Services.
Owen said providers faced a challenge in that they needed to mitigate security risks from their own suppliers, including identifying which of those provided equipment from which attackers could access data in the cloud.
Vendors must consider what was acceptable to customers when planning their risk assessments. At present, most vendor assessments were simplistic black box tests that ignored client risk tolerance and the impact that a breach may have on them, Owen said.
"The model now is a black box. It's a question of controls design and execution of controls. Ownership of risk is with the client, not the provider."
"When you think of past data breaches, you remember the name of the customers, not the provider."
Last year Detica faced 339 "very sophisticated attacks" of its own directed against its networks. Some 92,000 less serious attempts were made, managing director Martin Sutherland told BBC radio. (mp3)
He said attackers sought data on valuable projects the defence contractor was engaged with.