& cplSiteName &

'Spectre' & 'Meltdown' – What Cloud Users Need to Know

Mitch Wagner
1/8/2018
50%
50%

For enterprise cloud users worried about Spectre and Meltdown, there's good news and bad news. The good news is that cloud users don't have any special vulnerabilities compared with their legacy and consumer counterparts.

The bad news is that the cloud doesn't provide any special protections either.

And cloud applications face special challenges due to the nature of how they operate and are consumed.

News of the Spectre and Meltdown threats broke last week. These are separate, but similar, vulnerabilities. Meltdown affects nearly every Intel processor made since 1995, and Spectre affects Intel Corp. (Nasdaq: INTC), Advanced Micro Devices Inc. (NYSE: AMD) and ARM Ltd. processors, according to a web page posted by the researchers who discovered the vulnerabilities. The vulnerabilities can allow an attacker to read any information stored in memory, including passwords, proprietary business data and confidential user information. (See New Intel Vulnerability Hits Almost Everyone and Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)

At least three billion chips have the Spectre security hole, the more widespread of the vulnerabilities, according to a report on MIT Technology Review. That's all Apple Mac and iOS products, with the exception of the Apple Watch, for a total of a billion or so devices. Android devices number more than two billion, and the security flaw could affect about 500 million of those. (See Intel: We've Patched Most Chips for 'Spectre' & 'Meltdown'.)

On the PC and server side, Intel and AMD account for more than a billion chips. Smaller chipmakers, such as IBM Corp. (NYSE: IBM), say some of their chips are affected as well.

Chip and software vendors are rolling out patches, but these only mitigate the problem. The ultimate cure will be replacing the affected systems.

Until then, users need to install patches on on-premises systems, and stay on top of their cloud providers to ensure those services are patching their systems as well.

"This is no different than bugs that come out every year. This just means you have to stay on top of the game. You have to patch," Manoj "Marty" Puranik, president and CEO of cloud hosting provider Atlantic.net, tells Enterprise Cloud News.


Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.


Browsers are a particular concern to cloud users, because cloud applications are frequently consumed through the browser. An attacker wanting to take advantage of the Spectre vulnerability needs to run code on a victim's computer, and a good way to do that is to post JavaScript to a website and then trick the user into visiting the site, through a phishing email or other subterfuge.

To protect themselves, Google (Nasdaq: GOOG) recommends Chrome users turn on site isolation in the browser. The extra security helps stop a website from stealing data from another website, Google says. Chrome's JavaScript engine, V8, will include mitigations starting with Chrome 64, to be released on or around January 23, and future Chrome releases will "include additional mitigations and hardening measures which will further reduce the impact of this class of attack," Google says.

Microsoft Corp. (Nasdaq: MSFT) has already issued security updates which protect Microsoft Edge and Internet Explorer 11. Mozilla includes mitigations in beta and developer editions of Firefox. And Apple Inc. (Nasdaq: AAPL) said Friday it expects to release an update to Safari protecting against Spectre within days.

Do patches slow down performance?
Early reports said that mitigating the vulnerabilities would slow performance drastically. Slowdowns would be up to 20% according to Red Hat, and 5-30% according to The Register.

But Google says the worst results come from unusual compute loads. Some of the tests demonstrating significant performance problems "focus solely on making API calls to the operating system, which does not represent the real-world scenario that customer software will encounter," the company said in a blog post Friday.

Next page: What about containers and hypervisors?

(5)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Educational Resources
sponsor supplied content
Educational Resources Archive
More Blogs from Wagner’s Ring
SD-WAN is about more than saving money – it also provides application delivery, insights and reliability. Find out more in this podcast sponsored by Citrix.
Platform is designed to enable enterprises to build big data analytics apps that move easily between public and private clouds.
Buying Evident.io extends Palo Alto's portfolio with API-based security capabilities and compliance automation.
Google wants to win the hearts of enterprise IT for Chrome OS on the desktop, but it has a long way to go.
IBM Cloud gets a security and Kubernetes performance boost.
Featured Video
From The Founder
Light Reading founder Steve Saunders talks with VMware's Shekar Ayyar, who explains why cloud architectures are becoming more distributed, what that means for workloads, and why telcos can still be significant cloud services players.
Flash Poll
Upcoming Live Events
May 14-16, 2018, Austin Convention Center
May 14, 2018, Brazos Hall, Austin, Texas
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
Australia's Optus on Back Foot After 'Anglo Saxon' Job Ad
Ray Le Maistre, Editor-in-Chief, 4/13/2018
Is Gmail Testing Self-Destructing Messages?
Mitch Wagner, Mitch Wagner, Editor, Enterprise Cloud, Light Reading, 4/13/2018
BDAC Blowback – Ex-Chair Arrested
Mari Silbey, Senior Editor, Cable/Video, 4/17/2018
Verizon: Lack of Interoperability, Consistency Slows Automation
Carol Wilson, Editor-at-large, 4/18/2018
AT&T Exec Dishes That He's Not So Hot on Rival-Partner Comcast
Mari Silbey, Senior Editor, Cable/Video, 4/19/2018
Animals with Phones
I Heard There Was a Dresscode... Click Here
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed