No doubt most of us in IT were not overly psyched to hear about this newest, wide ranging exploits on most modern CPUs. I look at this in two ways; since it literally effects literallly every device we all own, their will inevitably be some fall out and “speculative execution” of sensitive memory sniffed unbeknownst to all of us. You can either:
- Freek out and revert to pad, pencils and sneaker net.
- Empower yourself with knowledge to understand what is going on.
At Gartner I cover public cloud, colocation, hosting and CDN providers all of which have varying degrees of exposure to both of the vulnerabilities. As I speak to different sgements of providers, I will give updates. Here is some updates from a few CDN providers:
- Akamai– Good blog post delving into their exposure:https://blogs.akamai.com/2018/01/impact-of-meltdown-and-spectre-on-akamai.html . In a nutshell, their edge nodes do not have the same exposure to client executed code that a public cloud provider does and therefore, there exposure is not as direct as other providers that deliver compute as a service. Akamai however, does own the world largest distributed CDN network and patching and keep systems up to date has been a challenge for them. All in all, the appear to have reasonable plan of protection.
- Cloudflare– Interestingly entertaining blog post written by their CTO John Grahm-Cumming https://blog.cloudflare.com/meltdown-spectre-non-technical/. Lots of graphics and a good story for those of us not in the deep propeller hat set. They also link to two technical briefs on both meltdown https://meltdownattack.com/meltdown.pdf and spectre https://spectreattack.com/spectre.pdf. They provide more of a public service announcements then what steps they are taking with their clients. Needless to say, Cloudflare has a strong reputation in defense in depth so I believe they are secure.
- Fastly– Performed due diligence with their security and engineering teams and concluded that their exists no risk to Fastly customers. I believe that it would take some intimate knowledge of VCL to breech and effect thier edge nodes. No customer remediation need currently be undertaken
- Limelight- Similar to Fastly, Limelight as investigated and believes it poses no issues with their client base. They do own their own backbone and do not use any third parties for operations so they retain solid command and control.
This situation reminds me that distributed architectures will always pose a great challenge to monitor and secure but governance, operational rigor and trust but verify security can be a sweet elixir.
I will post other updates when I have them.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.