Confidence not collapse?
As businesses and organisations await the release and probable implications of patches and fixes for the Spectre and Meltdown bugs, XQ Cyber Director Andy Rees suggests that the discovery of the bugs has raised some questions about the security of the cloud, but adds that if some simple steps are taken the threat can be reduced.
Research published in January revealed that virtually every computer chip manufactured over the past 20 years contains serious security flaws.
Dubbed Spectre and Meltdown, the bugs could be used to abuse some of the techniques processors use to speed up their operations and could potentially allow unprivileged code to read data it should not be able to.
Fortunately, due to the complexity of the bugs it is unlikely that they have been exploited.
“The impacts of the issue; both the security implications and the slowdown of PCs as a result of the patches introduced to fix them are likely to be short-lived and, like Heartbleed, I don’t think there will be widespread, automated, exploitation due to the inconsistency in the value of the results. What won’t be short-lived, however, are the implications the discovery will have had on people’s confidence. The real issue is that in high assurance cloud environments a Rubicon has been crossed. Everyone has tacitly accepted for many years that it may be possible to break out of virtual instances into other virtual instances but this is one of the very first times that it has been practically proven at scale.
“It’s a bit like Pandora’s box: it’s fine to keep it shut in the corner of the room and while its presence is known it’s not all that scary because it’s stayed shut.
The issue with opening it, like Meltdown and Spectre have done, is infinitely more about the fact that it is hard to be confident in a platform if there is even the smallest of chances that further issues of the type identified exist,” says Andy.
With this attack moving from the once theoretical realm and into reality some may rightly become concerned over the security of the high assurance cloud.
Despite this, we cannot just throw up our hands and run for the hills. We are all too invested, both financially and intellectually, in using cloud services. Instead, we need to: