Blog post

Meltdown and Spectre vulnerabilities: CDN Provider updates

By Ted Chamberlin | January 09, 2018 | 0 Comments

No doubt most of us in IT were not overly psyched to hear about this newest, wide ranging exploits on most modern CPUs.  I look at this in two ways; since it literally effects literallly every device we all own, their will inevitably be some fall out and “speculative execution” of sensitive memory sniffed unbeknownst to all of us. You can either:

  1. Freek out and revert to pad, pencils and sneaker net.
  2. Empower yourself with knowledge to understand what is going on.

At Gartner I cover public cloud, colocation, hosting and CDN providers all of which have varying degrees of exposure to both of the vulnerabilities. As I speak to different sgements of providers, I will give updates.  Here is some updates from a few CDN providers:

  • Akamai–  Good blog post delving into their exposure:https://blogs.akamai.com/2018/01/impact-of-meltdown-and-spectre-on-akamai.html . In a nutshell, their edge nodes do not have the same exposure to client executed code that a public cloud provider does and therefore, there exposure is not as direct as other providers that deliver compute as a service. Akamai however, does own the world largest distributed CDN network and patching and keep systems up to date has been a challenge for them. All in all, the appear to have reasonable plan of protection.
  • Cloudflare– Interestingly entertaining blog post written by their CTO John Grahm-Cumming https://blog.cloudflare.com/meltdown-spectre-non-technical/. Lots of graphics and a good story for those of us not in the deep propeller hat set. They also link to two technical briefs on both meltdown https://meltdownattack.com/meltdown.pdf and spectre https://spectreattack.com/spectre.pdf.  They provide more of a public service announcements then what steps they are taking with their clients. Needless to say, Cloudflare has a strong reputation in defense in depth so I believe they are secure.
  • Fastly–  Performed due diligence with their security and engineering teams and concluded that their exists no risk to Fastly customers. I believe that it would take some intimate knowledge of VCL to breech and effect thier edge nodes. No customer remediation need currently be undertaken
  • Limelight- Similar to Fastly, Limelight as investigated and believes it poses no issues with their client base. They do own their own backbone and do not use any third parties for operations so they retain solid command and control.

This situation reminds me that distributed architectures will always pose a great challenge to monitor and secure but  governance, operational rigor and trust but verify security can be a sweet elixir.

I will post other updates when I have them.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment