Are Meltdown and Spectre Security Threats to SaaS Companies Like Spanning?
Everyone is talking about Meltdown and Spectre, and for good reason. SaaS providers are at risk, but we have your back. Here’s what you need to know about your data protected by Spanning Backup, by our Principal Security Engineer Brian Rutledge.
What are Meltdown & Spectre?
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
SaaS providers are at risk as well, because their applications and supporting servers are virtualized on top of host computing technology.
Much more detailed information is located here: https://spectreattack.com/
Who is impacted by Meltdown & Spectre?
Almost everyone is at risk. No matter what brand of CPU architecture/provider you use, you are almost certainly impacted. Virtual machines, on-premises servers/workstations/laptops, and even mobile phones are affected.
Am I at risk?
Even though these vulnerabilities have been published, there is no evidence that’s it’s being actively exploited by malicious individuals and log data is not available due to the nature of the vulnerability being at the processor level.
Are there patches available yet?
Current information about known patches can be found here.
How is Spanning protecting customer data and what steps are being taken at Spanning right now?
Spanning is proactively working to ensure customer data is protected. The following outlines our current efforts to remediate our systems and work with Amazon Web Services (AWS), our hosting solution, to make sure we’re tackling this issue from all fronts.
- We have confirmed with AWS that they have already remediated their hypervisor systems as a primary line of defense to continue to provide the safest possible environment for its customers and data.
- Spanning has a robust and SOC2 audited patch process that keeps our production servers patched on a regular basis. Given the severity of these exploits, we have started an out-of-band cycle to further harden our applications against these vulnerabilities.
- As patches/updates are made available, Spanning will test and deploy them appropriately. This will happen seamlessly and without any loss of availability for our customers to Spanning Backup.