Are Meltdown and Spectre Security Threats to SaaS Companies Like Spanning?

Everyone is talking about Meltdown and Spectre, and for good reason. Here’s what you need to know about your data protected by Spanning Backup, by our Principal Security Engineer Brian Rutledge. 

 

Are Meltdown and Spectre Security Threats to SaaS Companies Like Spanning?

 

What are Meltdown & Spectre?

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.

Much more detailed information is located here:  https://spectreattack.com/

SaaS providers are at risk as well, because their applications and supporting servers are virtualized on top of host computing technology that is also at risk.

So what does that mean for customers of Spanning, a leading SaaS backup provider? The situation is still developing, but Spanning is proactively working to ensure customer data is protected. The following outlines our current efforts to remediate our systems and work with Amazon Web Services (AWS) to make sure we’re tackling this issue from all fronts.

Who is impacted by Meltdown & Spectre?

Almost everyone is at risk. No matter what brand of CPU architecture/provider you use, you are almost certainly impacted. Virtual machines, on-premises servers/workstations/laptops, and even mobile phones are affected.

Am I at risk?

Even though these vulnerabilities have been published, there is no evidence that’s it’s being actively exploited by malicious individuals and log data is not available due to the nature of the vulnerability being at the processor level.

Are there patches available yet?

Current information about known patches can be found here.

How is Spanning protecting customer data and what steps are being taken at Spanning right now?

Spanning is working with our technology partners and internal engineers to continue to protect customer data and internal systems. Spanning has confirmed with AWS, as our hosting solution, that they have already remediated their hypervisor systems as a primary line of defense to continue to provide the safest possible environment for its customers and data. In the coming days and weeks we have seen, and will continue to see, more remedial patches coming from vendors. Spanning, while already having a robust patching process, will be adding an out-of-band cycle to address these vulnerabilities. As these patches/updates are made available, Spanning will test and deploy them appropriately. This will happen seamlessly and without any loss of availability for our customers to Spanning Backup.

If you have questions or concerns, please email me at brian.rutledge@spanning.com or your Spanning Customer Success Manager

Can You Count on Your Data Protection Vendor to be Resilient?



This is a Security Bloggers Network syndicated blog post authored by Brian Rutledge. Read the original post at: Spanning