The nearly ubiquitous “Meltdown” and “Spectre” security vulnerabilities that have dominated tech news headlines this week could be a ray of sunshine to one group of vendors: cloud computing providers.

Many information technology organizations are in chaos right now trying to determine the existence and impact of the hardware flaws on their own infrastructure, said Aaron Rallo, chief executive of Vancouver, B.C.-based TSO Logic Inc., which makes software that analyzes and optimizes IT workload placement.

“It’s a fire drill remediating the problem,” he said. “They’re distracted with resolving, patching and figuring out which workloads will be impacted. In the cloud, that’s largely been done for them.”

Rallo, who spent 16 years building and managing data centers and online platforms for large retailers before becoming a software entrepreneur, estimated that about 80 percent of the attention of operations, DevOps, security and quality assurance staff in a typical IT shop has been devoted to Meltdown and Spectre diagnosis and repair this week. Analyzing complex on-premises environments is even more demanding. “The more customized your environment, the harder it is to determine the impact,” he said.

In contrast, the major cloud infrastructure vendors all announced that they had applied patches within 24 hours after news of the vulnerability broke. For platform-as-a-service and software-as-a-service customers, that means it’s business as usual, Rallo said.

“The benefit of cloud is that your team can focus on its business activities while the cloud providers focus on making sure your apps keep running,” he said. “Cloud providers have some of the best DevOps and security teams in the business. If any hardware needs to be replaced, it’s on their dime.”

Despite reports of severe slowdowns experienced by some cloud infrastructure customers after patches were applied, Rallo said his company’s automated performance monitors have seen “no noticeable impact on performance. In all environments there is a bit of general overprovisioning, so the peaks may not come till the end of the quarter,” he cautioned.

Although cloud providers may apply patches at the processor level, customers that essentially rent computer time from infrastructure-as-a-service providers are still responsible for software fixes. How long that takes to happen is anybody’s guess. More than two months after the Heartbleed vulnerability in the Open SSL security protocol was discovered in 2014, about 1.5 percent of the largest websites still hadn’t applied a patch. Equifax Inc.’s consumer database was stolen last year by attackers who exploited a security flaw for which a fix had been available for two months.

TSO Logic helps companies crunch the data needed to justify a move to the cloud, but Rallo said the firm also works with on-premises deployments. “We’re completely agnostic about where workloads end up,” he said.

Whether heading cloudward or not, organizations should look at this latest tempest as another argument in favor of standardizing infrastructure wherever possible. “It seems that every vulnerability is more impactful than the one that came before it,” Rallo said. “We have to be diligent about using technology in as much of an automated manner as possible.”

Image: Todd Quackenbush/Unsplash