Murray Leach, CTO of Invosys, explains how technology resellers can protect themselves and their customers from Meltdown
The recent discovery of a design flaw in the central Intel and AMD CPUs sent the business community into panic mode – understandably, as the vulnerability, which enables hackers to infiltrate systems without detection, affects almost all computers, including desktops, laptops, mobile devices and, most importantly, servers. Any company that utilises cloud-based solutions to store and process data is especially at risk as the scale of hosted systems and their greater potential for disruption make them attractive targets for hackers.
The Meltdown flaw is a major global security issue that every business (and reseller) will need to address at some point.
While systems and platforms continue to work as before, the temptation simply to see things out and do nothing is strong. What technology resellers must understand, however, is that doing nothing is akin to leaving the backdoor of your home wide open and going out for the evening. The difficulty for resellers is that while they are exposed to risk they don’t have the ability to make changes directly, as most of the major vulnerabilities lie with their suppliers.
So, on the face of it, there’s not much a reseller can do except update their systems with the latest security fixes. Easy,
A quick fix won’t necessarily rectify the problem and, in some cases, can actually damage the platform it is meant to mend. Rushing in and carrying out a fix with no other measures in place is absolutely not the answer.
A further problem for resellers is that, being neither carrier nor host, they will have no direct engineering relationship with Intel or AMD, but their hosting company will and so will be able to carry out potentially damaging fixes without their knowledge, leaving them without resilience at network level.
How, then, can resellers who have a hosting supplier protect both themselves and their customers? A good starting point is to follow these four steps:
1 Clarify the potential threat. Talk to your suppliers to establish whether the products they are using have been affected by these bugs. The chances are they will have been, so next find out if they have a plan in place to fix them.
2 Exercise caution. If your supplier is planning a fix, it’s tempting to give approval automatically. However, it’s possible that their fix could actually prevent the product from working properly, so it’s important to question, question and question again to establish the validation process – testing and redundancies are crucial at this point. Inform your supplier that you want to move your system elsewhere (for example to a redundant supplier) while they test it and get it fixed. You’ll be able to deploy it and check it works once you’re happy the fix won’t damage your platform. Only at this point has enough groundwork been done to allow the fix to go ahead.
3 Consider other options. You could simply do nothing, in which case you must be aware that anything you do with the system won’t be secure. If you rely on it for banking, GDPR or online payments, for example, you will be in breach of compliance obligations, which could cause you huge problems with the ICO. The longer you leave it, the more severe the breach will be.
Alternatively, you could move to a supplier that has already implemented a fix. Invosys builds cutting-edge solutions that are relied on by the largest financial and telecoms institutions in the UK. Resolving vulnerabilities before they become a serious issue for our customers is our first priority.
By creating a parallel system on servers running an OS that had already been patched on an alternative platform, we were able to test performance and regularity issues. Only then did we start the process of migrating services from one to the other. We could do this because our system was built to be scalable across multiple sites, enabling us to run part on one set of infrastructure and part on another, gradually moving things over, rather than having to switch off one system in order to switch on the other. This had to be done in-house, as there are no third parties with sufficient understanding of our architecture and the needs of our customers.
Our services are now entirely on the new platform and it’s business as usual for both us and our customers.
4 Take the positives. When you are up-and-running again and have reinstated service, your first priority should be to work out how to avoid this in the future. Accept that while interruption of service is not ideal, it can highlight opportunities to make improvements to the resilience of your platform and it’s underlying infrastructure.
The Meltdown Flaw is a major headache for companies across the channel and a source of great uncertainty. But by working top down through your infrastructure, you can be confident of securing your data and your customer’s data without compromising day-to-day operations.