Featured Product
This Week in Quality Digest Live
Risk Management Features
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Kari Miller
An effective strategy requires recruiting qualified personnel familiar with the process and technology
Sarah Schiffling
But supply chains will get worse before they get better
William A. Levinson
People can draw the wrong conclusions due to survivor, survey, and bad news bias.

More Features

Risk Management News
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks
It is a smart way to eliminate waste and maximize value
An early warning system lets Arctic people know when bears approach
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage

More News

Eric Pauley

Risk Management

Mismanaged Cloud Services Put User Data at Risk

IP addresses change hands as often as every 30 minutes as organizations change the services they use

Published: Tuesday, April 26, 2022 - 12:02

Organizations’ failure to properly manage the servers they lease from cloud service providers can allow attackers to receive private data, as research my colleagues and I conducted has shown.

Cloud computing allows businesses to lease servers the same way they lease office space. It’s easier for companies to build and maintain mobile apps and websites when they don’t have to worry about owning and managing servers. But this way of hosting services raises security concerns.

Each cloud server has a unique IP address that allows users to connect online and send data. After an organization no longer needs this address, it’s given to another customer of the service provider, perhaps one with malicious intent. IP addresses change hands as often as every 30 minutes as organizations change the services they use.

When organizations stop using a cloud server but fail to remove references to the IP address from their systems, users can continue to send data to this address, thinking they are talking to the original service. Because they trust the service that previously used the address, user devices automatically send sensitive information such as GPS location, financial data, and browsing history.

An attacker can take advantage of this by “squatting” on the cloud: claiming IP addresses to try to receive traffic intended for other organizations. The rapid turnover of IP addresses leaves little time to identify and correct the issue before attackers start receiving data. Once the attacker controls the address, they can continue to receive data until the organization discovers and corrects the issue.

Our study of a small fraction of cloud IP addresses found thousands of businesses that were potentially leaking user data, including data from mobile apps and advertising trackers. These apps initially intended to share personal data with businesses and advertisers, but instead leaked data to whoever controlled the IP address. Anyone with a cloud account could collect the same data from vulnerable organizations.

Why it matters

Smartphone users share personal data with businesses through the apps they install. In a recent survey, researchers found that half of smartphone users were comfortable sharing their locations through smartphone apps. But the personal information users share through these apps could be used to steal their identity or hurt their reputation.

Personal data have seen increasing regulation in recent years, and users may be content to trust the businesses they interact with to follow those regulations and respect their privacy. But these regulations may not sufficiently protect users. Our research shows that even when companies intend to use data responsibly, poor security practices can leave that data up for grabs.

Users should know that when they share their private or personal data with companies, they are also exposed to the security practices of those companies. They can take steps to reduce this exposure by reducing how much data they share and with how many organizations they share it.

What other research is being done in this field

Academics and industry are focusing on responsible collection of user data. A recent push by Google aims to reduce collection of users’ personal data by mobile advertisements, ensuring that their security and privacy are protected.

At the same time, researchers are working to better explain what applications do with the data they collect. This work aims to ensure that the data users share with applications are used how they expect by matching permission prompts with how the apps actually behave.

What’s next

We’re conducting research into new technologies on smartphones and devices to ensure they protect user data. For instance, research led by a colleague of mine describes an approach to protect personal data collected by smart cameras. Our vantage point on traffic in the public cloud is also enabling new studies of the internet as a whole. We are continuing to work with cloud providers to ensure that user data stored on the cloud are secure, and we’re introducing techniques to prevent businesses and their customers from being victimized on the cloud.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Discuss

About The Author

Eric Pauley’s picture

Eric Pauley

Eric Pauley is a research fellow and Ph.D. candidate in computer science and engineering at Pennsylvania State University.