I’ve been in IT for a long time. I’ve designed and build datacenters and I’ve created network operations teams. Not so long ago, the thought of moving my organization’s sensitive data and servers to some 3rd party was a laughable joke to me. But times have changed, and I hope that I’ve changed some, too.
In the past year, we have seen a spate of significant hardware vulnerabilities, from embedded debug ports, to Meltdown/Spectre, to vulnerable lights out management interfaces, and now the news about TLBleed. I suspect that each new hardware vulnerability identified creates incentive for other smart people to start looking form more. And it appears that there is no near term end of hardware bugs to find.
In the aftermath of Meltdown/Spectre, I wrote a bit about the benefits of cloud, specifically that most cloud providers had already implemented mitigations by the time news of the vulnerabilities became public. There seems to be many benefits of moving infrastructure to cloud, but TLBleed seems like another example of those benefits because we can transfer the capital costs of procuring replacement servers to our providers, if necessary. (note: I am not convinced TLBleed is an issue that rises to that level of importance) We do, however, need to ensure that the provider has taken the appropriate steps to address the problems.