Safe and fast – isolating data processing as an alternate approach to patching Meltdown and Spectre

By | January 5, 2018

When we talk about security, we usually think about processors as stand-alone units. But they aren't. And that means that while individual PCs still need to be patched, with targeted organizational changes, you might be able to keep processing power and speed for the more important data analysis servers – while keeping attackers out of your data.

The basic idea behind this approach: The 'workhorse' servers doing the actual data analysis run unpatched in a protected environment. That means restricted both in terms of physical access including separate wiring, as well as virtual access. The 'gateway' servers providing data access – are patched and access is highly restricted.

Of course, this doesn't work with every application and constellation. But if you are processing large amounts of data, taking a second look at where and how you distribute your analysis algorithms, and whether or not your infrastructure supports isolated analysis, might save you a few bucks by stretching your processing power.

2 thoughts on “Safe and fast – isolating data processing as an alternate approach to patching Meltdown and Spectre

  1. T. Pascal

    Securing the data like this is important anyway to protect the data at rest. However, at some point, the data needs to move around (to be backed up, reported on, analysed in a new way, upgraded, …). Also your gateway application or proxy is going to be vulnerable somehow. Just a matter of time. You just have to keep doing best practices, move like a shark, keep ducking and punching.

  2. Valdis Klētnieks

    Note however that setting this sort of config up correctly is a lot harder than it looks – mostly because it's very difficult to ensure that the gateway servers can't pass an exploit to the workhorse servers.

    If somebody plans to save a few bucks going this route, make sure some clued security people look over the plan.


Leave a Reply

Your email address will not be published.