Who Are Your Neighbors in the Cloud?

The availability of large pools of very low cost storage and connectivity in “public clouds” — particularly at Amazon Web Services, Google Compute Engine and Microsoft Azure — has attracted a lot of attention, and plenty of small and medium-size businesses are thinking about moving there or have already moved at least part of their IT infrastructure there. Even some pretty big organizations are migrating parts of their technology platform to the public cloud, creating “hybrid” models.

As almost always happens when a new wave of technology gets widely and rapidly deployed, both good and not-so-good businesses are taking advantage of all that low-cost computing power. There are plenty of not-so-great business models (spam, click fraud, pump-and-dump stock brokers, Ponzi schemes, illegal multi-level marketing plays and so on) that benefit just a much from a low-cost infrastructure as do genuine businesses. Because of the way the public cloud works — it’s generally a “multi-tenant” model for the lowest cost of service — a company might end up with any one or more of these “bad” folks as its immediate “neighbors.” In theory, that shouldn’t matter — “isolation” in a multi-tenant model should guarantee that no mixing or even snooping is possible. And generally, inside the public cloud, that works just fine.

Seen from the outside, however, things can get a little more complex. To find your company, your customers and prospects have to know your address within the cloud — usually in the form of the ubiquitous “URL” we have all come to know. Under the hood, however, that string of characters gets translated into a unique “IP address.” Unfortunately, most of the internet uses a form of IP address (called IPv4) that probably looked like it would give us all enough unique addresses when originally designed, but doesn’t provide nearly enough today.

John Parkinson 2017 Tech

To make matters worse, addresses are handed out to internet service providers in large blocks that aren’t easily sharable between ISPs. So addresses aren’t all permanently assigned (called a static IP address) to a user in the cloud. Mostly they’re “leased” out for a period and then reused — assigned dynamically. Once you’re done with an address it can get assigned to someone else, and you have no control over who gets it. A clever system called DNS (Domain Name Services) keeps track of all this so the URL you “own” always (well, nearly always) finds the right place in the cloud.

Companies can always pay extra for a static IP address of course, but the whole point of using a public cloud is to keep costs low, so most users don’t want to do that. Eventually all of the Internet will change over to a new IP address format (IPv6) and we will have more than enough addresses to go around. Until then we’ll have a problem and will need a lot of workarounds, some of which cause potential problems when the bad guys move in next door.

First of all, all that bad behavior on the web (behavior which predates public clouds by several decades) has created a broad and diverse industry to try to prevent or at least minimize the impact of the bad behavior. Much of this defense involves keeping track of where the badness originates and blocking (“blacklisting,” in tech-speak) those sources, so that traffic from them never gets anywhere it can do harm. That’s where the IP address of the source becomes important.

As we have seen, those addresses often change dynamically, especially in the public cloud environment. So it’s not always possible to get to a consistent specific address for a bad actor. Instead, trying to do their best to be helpful to the majority, the defenders block all the addresses in a block. They try to do this to the smallest block of addresses they can, but if your company is currently (or recently or even occasionally) on the same block, it can get blocked too. It can also get assigned (dynamically, remember) an address recently used by a bad actor and already blacklisted.

And that’s becoming a pretty common problem.

Of course, the company can appeal to whomever put it on a blacklist – and if it can prove its a “good guy,” that should work. But it takes time and the company could have disappeared from the rest of the world until its re-instated.

Ideally, the public cloud providers would do a better job of identifying and blocking the bad actors. They do work with the listing organizations to weed out the most egregious behaviors, but it really isn’t that easy to spot everyone and take action quickly, and the entire business model is based on attracting lots of users to the public cloud. Accelerating the deployment of IPv6 and assigning permanent IP addresses at no additional cost would help too (although IPv6 gets assigned to ISP in blocks too, so it’s not a perfect solution). But the transition has already been going on for years, is complex and costly, and it will likely be years more before it’s done.

In the meantime, consider a static IP address in a “good” neighborhood and if you can’t afford it, watch out for unexpected lockouts.

John Parkinson is an affiliate partner at Waterstone Management Group in Chicago. He has been a global business and technology executive and a strategist for more than 35 years.