CYBERSECURITYCloud Server Leasing Can Leave Sensitive Data Up for Grabs

Renting space and IP addresses on a public server has become standard business practice, but according to a team of Penn State computer scientists, current industry practices can lead to “cloud squatting,” which can create a security risk, endangering sensitive customer and organization data intended to remain private. 

Cloud squatting occurs when a company, such as a bank, leases space and IP addresses — unique addresses that identify individual computers or computer networks — on a public server, uses them, and then releases the space and addresses back to the public server company, a standard pattern seen every day. The public server company, such as Amazon, Google, or Microsoft, then assigns the same addresses to a second company.  If this second company is a bad actor, it can receive information coming into the address intended for the original company —for example, when you as a customer unknowingly use an outdated link when interacting with your bank — and use it to its advantage — cloud squatting. 

“There are two advantages to leasing server space,” said Eric Pauley, doctoral candidate in computer science and engineering. “One is a cost advantage, saving on equipment and management. The other is scalability. Leasing server space offers an unlimited pool of computing resources so, as workload changes, companies can quickly adapt.” As a result, the use of clouds has grown exponentially, meaning almost every website a user visits takes advantage of cloud computing. 

While the Penn State researchers suspected cloud squatting was possible, they designed an experiment to determine if cloud tenants were vulnerable and to quantify the extent of the problem. The researchers set up a series of cloud server rentals from Amazon Web Services’in its us east 1 region, the region that serves the East Coast of the U.S. They rented server space for 10-minute intervals, received information sent to the address intended for previous tenants and then moved to another server location, repeating the process. They did not ask for any data, nor did they send out any data. Whatever unsolicited data they received was potentially intended for previous tenants. 

For example, if a mobile banking company rented server space, they would receive an IP address from the public cloud-services company. After they relinquished that server space and IP address, the next tenant of that space could receive any personal financial data sent by the bank’s customer to the IP address.