Skip navigation
Microsoft campus in Redmond, Washington Microsoft
Microsoft campus in Redmond, Washington

Spectre, Meltdown Hit On-Prem Windows Servers Hardest

Performance tax of patches in many cases unavoidable; chip vulnerabilities may accelerate shift to cloud

Discovery of the Spectre and Meltdown processor vulnerabilities has been wreaking havoc across the IT industry, particularly since the chip design flaws were made public earlier this month. Enterprises hosting applications in traditional on-premises data centers are hit the hardest, experts say, and hose running Windows on their servers have it worse than everyone else.

"It appears that organizations that have heavily leveraged Microsoft operating systems are more impacted than those who leverage Linux," said Carl Wright, chief revenue officer at AttackIQ, a San Diego-based cybersecurity company.

Customers with large Linux deployments -- 200,000 servers or more -- report "almost non-existent impact to business operations," he said.

Meanwhile, patches for the vulnerabilities could slow down servers running on Windows.

"The cure may be painful to take," said Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint. "Unfortunately, Microsoft has also stated that if a computer is using older Intel processors -- for instance, running Windows 8 -- end users will likely notice a decrease in system performance after installing the patch."

One of the things that means for data center operators serving internal enterprise users is a cost increase, since they might need to purchase additional hardware to handle the same workload.

Ned Bellavance, director of cloud solutions at Anexinet, said that there have been reports of performance degradation by as much as 30 percent.

Data centers will feel the impact more than desktop users, especially data centers running hardware at higher utilization rates.

"The key to data center profitability is efficiency," said Ben Carr, VP of strategy at Cyberbit. "The loads are scaled to make the most out of every bit of performance available -- typically running the max number of virtual systems possible -- which makes any impact to performance potentially very costly."

Uncomfortable Decisions

Those serving external customers will have some uncomfortable decisions to make.

"Do they pass these cost on or eat them?" said Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies. "Customers won’t be happy with additional cost for the same amount of service."

Microsoft also lags behind Linux when it comes to access control, said Gene Shablygin, CEO and founder of cybersecurity vendor WWPass Corp.

That is a problem, since the Spectre and Meltdown vulnerabilities depend on hackers having access to the hardware.

"My recommendation here would be to not to use Windows-based server solutions until Microsoft offers better access control," he said. "Use Linux instead.”

Meanwhile, some Windows users have been reporting that the patches are interfering with their anti-virus tools. And, for some Windows platforms -- namely Windows Server 2008 and Windows Server 2012 -- fixes aren't available at all.

"Addressing a hardware vulnerability by using a software update presents significant challenges, and some operating systems require extensive architectural changes," Microsoft said in a statement about the vulnerabilities. "Microsoft is continuing to work together with affected chip manufacturers to investigate the best way to provide mitigations."

"The depth of the problem and impact make quick fixes almost impossible," said Atiq Raza, CEO at Virsec Systems. "Until 20 years of processors are replaced, the operating system vendors will not be able to close this gap."

More Transparency from Intel Needed

Despite the patching issues, Microsoft and other operating system vendors have been getting better reviews for their responses to the problem than the chip makers.

"Microsoft, Red Hat, and other major OS vendors have been fairly transparent in their response to the impact of Meltdown/Spectre and the impact of any patches," said Drew Nielsen, CISO at Druva. "However, Intel still has some work to do on the transparency piece, especially when it comes to the severity and impact of Meltdown/Spectre."

"I think Intel has dropped the ball and trying to sweep it under the rug," said Marty Puranik, CEO at Atlantic.Net, a hosting company with several data centers in the US and Europe. "They can and should respond better. Microsoft has called Intel out to some degree in noting the performance impacts of correcting the bug -- which Intel has and continues to minimize."

It doesn't help that on Monday, Intel was forced to admit that its patches were causing problems such as reboots and other "unpredictable system behavior."

The scope of the problem underscores the need for automated patching processes.

"Traditional hand-to-hand processes cannot deal with performance and operational tasks at any scale at this point," said Eric Wright, technology evangelist at Turbonomic. "The risk and costs are too great."

Shift to Cloud May Accelerate

This problem may also accelerate the movement away from traditional data centers to cloud environments.

"It indicates the inherent security challenge in running your own data center," said Mike Schuricht, VP of product management at Bitglass. "This is in large part the reason many are moving away from managing their own data centers and instead are shifting the infrastructure security burden to AWS, Microsoft, and others that are better equipped to patch systems in a way that doesn’t break functionality for their customers."

Amazon Web Services, Microsoft's Azure, and Google Cloud Platform all have safeguards in place to protect against the exploits, said Anexinet's Bellavance.

"For those running (on premises) the majority of the burden for identifying and patching servers falls squarely on the IT teams’ shoulders, which will likely distract them from current projects," said Aaron Rallo, CEO at TSO Logic, which makes software that helps companies manage their data center operations.

The big cloud providers have another advantage: they knew about the security problem well before it was revealed to the general public, Rallo pointed out.

Correction: January 25, 2018
Dana Simberkoff is chief risk, privacy, and information security officer at AvePoint, not chief compliance and risk officer as the article previously stated. Carl Wright, chief revenue officer at AttackIQ, not general manager at TrapX as the article previously stated.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish