Meltdown, Spectre and Maintel

As we’ve been getting a number of questions from customers about the implications of Meltdown and Spectre, I wanted to provide a more general update on these well-known vulnerabilities, and how they potentially affect our ICON cloud and managed services.   

These vulnerabilities are most relevant in multi-tenant cloud environments, with customers understandably concerned that their information might be accessible by other companies also taking services running on the same physical hardware.

We offer three ICON Services that operate in this fashion: ICON Connect (managed wide area network), ICON Communicate (managed unified communications and contact centre) and ICON Secure (managed network security).

These vulnerabilities can only be exploited by an attacker if they can run software on a server or virtual machine, so the risk is significantly lower for closed systems – devices or appliances (including virtual appliances) that you can’t run custom software on.  In the case of Spectre, the vulnerability exists in CPU architecture rather than in software, and is not easily patched; however this vulnerability is more difficult to exploit.

ICON Connect and ICON Secure are unaffected as they run on closed systems where it is not possible to run malicious code at a local access level.

ICON Communicate does run industry standard virtual servers using Windows and Linux operating systems, and therefore the risk is a little higher. However, we run our services in a “multi-instance” model, rather than a “multi-tenant” model, which is inherently more secure.

For an attacker to be able to use these vulnerabilities to subvert a system, they would need to gain administrative access to a server running in our infrastructure, or physically access a server. We heavily restrict administrative access to servers (Maintel ICON engineers only, no sub-contractors), and audit all changes. Our infrastructure runs in secure data centres, where our servers are physically isolated from any other businesses in the same facility.  

Although the risk to customers is low, we are working on updating our infrastructure as patches are released by manufacturers – you can find an update here, which we’re using to keep customers informed of our plans.

Although we aren’t committing timescales on when these vulnerabilities will be addressed at this point, our intention is to update our infrastructure safely as soon as we can.

In many cases, we’re waiting for patches to be produced before we can perform the updates, and we’re very aware that applying patches blindly could cause service outages, so we’re testing everything very carefully first.

Given that we use our shared infrastructure to provide PCI-certified services to some customers, our obligations on PCI compliance mean that we have to update it (or provide a good reason why we shouldn’t) within 30 days of a patch being made available from a manufacturer) in any case.