Spectre & Meltdown – Know Your Neighbour

The principle of encryption in Cloud is that no matter how good the encryption you are running is, you have to trust the person running your server. When an application starts it loads the keys required to encrypt and decrypt data (as well as other sensitive security information) into memory. Therefore, the owner of the server where your application runs can access that data (via memory snapshotting/kernel dumps, etc). At the time the purpose of this was to educate people on choosing hosting platforms that are run by reputable parties. Running your Cloud VM on a Russian server might not seem a great idea right now, for example.

The latest announcements about Spectre & Meltdown have hit the IT industry pretty hard. Nobody is really exempt from their grasp. This includes major vendors such as AWS & Google. Both companies have done a great job of protecting their customers once the threat was identified. However, a rather frightening thought for anyone running sensitive workloads on a completely public Cloud is that other virtual machines running on the same physical server may already be scanning for other vulnerabilities like these. For years we have been conditioned to trust the Hypervisor to securely separate us from other workloads running alongside ours and as our confidence has grown, so has our adoption of virtualisation and cloud.

The benefits of virtualisation and Cloud far outstrip the risks from other vulnerabilities like these and I am certainly not suggesting that we go back to filling datacenters with our own x86 servers or building private Clouds willy nilly. However, we should certainly be thinking about choosing an appropriately safe place for our data. Am I comfortable with my medical record sitting on a server that literally anyone in the world could be running pretty much any software in the world on? Perhaps not…

UKCloud specialise in serving only the UK public sector. When our customers store data on our platforms they are assured that the only other users of the system are similar organisations running other workloads which benefit UK citizens. There are no suspicious neighbours. Think of it as a gated community with a friendly but thorough vetting service.

I’m not sure how many similar Cloud Platforms exist for other communities but wouldn’t it be great if financial services, legal and other organisations who hold sensitive data about us had somewhere to benefit from true cloud economics and technology with no nosy neighbours?

Tim Lawrence

With over 15 years’ experience working with software vendors and service providers and 7 years in Cloud, Tim believes that consistently putting the customer first drives business success. He is a strong proponent for modern digital techniques including DevOps, CI / CD, Infrastructure as Code, Containerisation and is an Open Source evangelist.


Post A Comment