Govt-certified clouds face questions on chip flaws

The federal government has sought assurances from cloud providers certified by the Australian Signals Directorate (ASD) over the impact the Meltdown and Spectre chip flaws might have on their services.

The Australian Cyber Security Centre (ACSC) released guidance late Friday on the two critical chip flaws that were revealed by researchers last week.

Meltdown affects only Intel chips and can be patched, while Spectre affects chips by all three major makers - Intel, AMD and ARM Holdings - and may require replacement of the CPU hardware to be fully mitigated.

Public cloud providers spent the weekend patching their services to protect against the flaws, which could allow access to sensitive information in a system’s memory.

A widely-reported side effect of the mitigation is an expected hit on the performance of the affected chips - and therefore the hardware and cloud services that rely on them.

Estimates so far have varied wildly, with performance impact claims ranging from five to 30 percent.

However, Intel claimed in a statement over the weekend that “Apple, Amazon, Google and Microsoft are among those reporting that they are seeing little to no performance impact” after initial tests following security updates.

Still, the ACSC is seeking its own assurances about how Meltdown and Spectre might impact cloud services that are on the ASD certified cloud services list (CCSL).

“The ACSC is assessing the impact on cloud services listed on the CCSL,” it said.

“The ACSC have engaged with these companies and they are taking appropriate action.”

Service providers on the list have their cloud services certified to host varying levels of secure information, according to government classifications.

Currently, three providers on the list have services certified to host protected information, while the rest can carry unclassified data.

Intel will be hoping customers can contain any impact to their services caused by the two security flaws as the company faces the potential fallout from the incident, including compensation and class action suits.