Spectre and Meltdown – What Does It Mean For Software Asset Management?

Have you heard of Spectre? No, I don’t mean the James Bond movie – although this does have the makings of a Hollywood blockbuster...

2018 has barely started and there is already a big news story regarding significant security flaws that companies need to be concerned about. These are codenamed Meltdown and Spectre, and they are different from the typical vulnerabilities related to networks or software – these are flaws in the hardware design. More specifically, in the processors themselves.

Why is this significant? Most issues/flaws relate to a specific platform or product, but this issue has a much broader scope. It affects processors from Intel, AMD, Apple, IBM and others, which means it is not just a Windows issue or a Linux problem – it affects Macs, UNIX machines and Power systems as well. In fact, it potentially affects most servers, desktops, laptops, mobile and tablet devices produced over the last 20 years. Even system Z (mainframe).

Not all chips are impacted in the same way – it seems AMD processors are affected by Spectre only, but processors from other companies are susceptible to both. However there is no immediate fix – the flaw is built into the design of the processors themselves, so the fix is to redesign a new set of processors.

That being said, the vendors are working on patches to mitigate the problems - a number have been developed and released and already deployed by many organizations. Early feedback however is that the patches are not without problems of their own. There have been a number of reports of system crashes and reboots after the patches were applied. In addition, there are reports of system performance issues as well – up to 15% on desktops/laptops, and as much as 25% on some servers (although this seems to vary based on type of workload etc.).

So how does this relate to Software Asset Management? As you are probably aware, Siwel has been a huge advocate for several years of closer interaction and integration of ITAM with IT Security and key ITSM teams for the greater effectiveness of all concerned. The performance impact of the Spectre and Meltdown patches is a great example of how this cooperation should work – or highlight how it may be broken.

In most organizations IT Security would have researched and communicated an alert about the issue and validated the options available for resolution. The Operations teams responsible for patch management would obtain and deploy the patches after testing in development. But what happens next when the impact to performance is identified and validated – is critical and can make all the difference to an organization.

Many of those companies that identified a performance issue in the data center have had to compensate by activating more servers to take up the load. In the case of a 25% performance loss reported for some environments, that may mean adding a whole new server for every 4 already in use, or activating an equivalent number of new processors.

That extra capacity requires additional software and licenses – was that planned/communicated with the SAM team in advance and applied through the standard processes? If not, then you potentially have a non-compliance risk to manage. Do you have capacity in your contract entitlements to absorb the extra licenses for those extra deployments of that software? If not, then you may have unbudgeted purchases to make.

In addition, you need to consider that this impacts your public/hybrid cloud providers and not just your internal environments – if your cloud environment is architected to support a specific capacity, then that too may require an increase in capacity and result in additional costs.

So if you have not had these conversations with your IT Security, operations and cloud vendors, then you should do so to make sure the potential licensing risk from this security flaw is mitigated.

Have you seen an impact from these flaws in your environment already? Have you had discussions with your internal and cloud teams about any licensing changes or needs?