Meltdown and Spectre: Are the skies darkening for cloud based services?

January 12, 2018 | Bonafidee Cybercrime and fraud 

News has quickly spread that two security flaws named Meltdown and Spectre have been identified in a number of the world’s computer processors designed by Intel, AMD and ARM. These flaws could allow hackers to access sensitive data including passwords, banking information, personal photos, emails or business-critical documents.

The two vulnerabilities combined make the threat a major concern affecting potentially every computer, server and smartphone. Although there is no evidence that either vulnerability has been exploited yet, organisations need to act quickly to update their systems to protect their sensitive data.

Important security patches are currently being rolled out to prevent attackers and these should be installed quickly. However, these could also impact system performance and should be tested before being applied as they could have a detrimental effect on organisations, particularly those using cloud services. Major public cloud providers have issued guidance for customers on how to protect against the flaws and claim the first round of patches have already been installed. However, this raises vital questions. What about organisations that don’t have large IT budgets and are therefore not in a position to act as quickly? Isn’t the cloud more vulnerable because it is shared?

Experts believe that the attacks will hit more powerfully in the cloud due to customers sharing the same underlying servers and software, increasing the risk of potential attacks between customers. Once data is uploaded into the cloud organisations have no control over who shares the same infrastructure, putting them at risk. The vulnerabilities may allow unintended access to confidential data stored on the same platform. Bonafidee takes data security more seriously than organisations who elect to share resources with other unknown third parties in the cloud and precisely for this reason chooses to store its’ customer data on dedicated private servers, mitigating this vulnerability.

Russell Brandom, Journalist at The Verge writes in his article ‘The CPU catastrophe will hit hardest in the cloud’:

The focus so far has been on personal devices, with a flood of patches already available this morning, but many experts think the most severe damage is likely to come when the exploits are turned on cloud services. “These vulnerabilities will allow one tenant to peer into the data of another co-hosted tenant,” says Mounir Hahad, the Head of Threat Research at Juniper Networks. “This is the reason many organizations steer clear of hosted services when it comes to processing sensitive information”.

So what does this mean for organisations and their sensitive data? Undoubtedly security measures need to be increased to elevate trust in cloud computing but it’s difficult to see how the risk of sharing computing resources with potentially nefarious organisations will go away. Undoubtedly the cloud is a target for hackers due to the vast amount of sensitive information being held.

Andrew Smith, Bonafidee’s Information Security Officer says “Bonafidee choose to store all data on our own managed dedicated infrastructure in IL3/4 rated data centres in the UK. This decision not only allows us to know where exactly geographically our data is but who has access to it. It also allows us to intensively test any patches prior to release on a live environment to ensure they don’t affect application in terms of performance or functionality. This is an advantage over a cloud based environment as Bonafidee has complete control and visibility over all aspects of their server environment. We take these precautions to ensure that Bonafidee can offer our clients greater protection for their sensitive data.”

In light of the recent security flaws and with the General Data Protection Regulation (GDPR) imminent, it is crucial organisations think carefully about how and where their sensitive data is stored. The two security flaws Meltdown and Spectre have proven to be the greatest test yet of the public cloud - is this a one-off event?  It is impossible to say that it won’t happen again and when, no one can say.