NetDocuments Response to the Meltdown and Spectre Vulnerabilities

NetDocuments Response to the Meltdown and Spectre Vulnerabilities
January 5, 2018
NetDocuments recognizes the serious set of security vulnerabilities known as Meltdown and Spectre and is actively monitoring developments regarding these vulnerabilities.  Because of the extensive multi-layered defenses and controls implemented within the NetDocuments Service infrastructure, together with the inherent protection created by the architecture of the Service, the ability of someone to directly exploit either of these vulnerabilities within NetDocuments is extremely unlikely.  NetDocuments is actively reviewing strategies to ensure ongoing protection of customer documents while also maintaining optimal performance of the Service.
Customers should conduct their own risk analysis and follow their own security best practices to prevent Meltdown and Spectre exploits of individual customer devices.  The United States Computer Emergency Readiness Team (US-CERT) has provided guidance for these vulnerabilities in TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance.
What are Meltdown and Spectre
Meltdown and Spectre are design weaknesses within the architecture of CPUs that allow critical information in the basic processing functions of the CPUs to be potentially exposed.  The vulnerabilities are found in Intel, AMD, and ARM processors that, between them, involve almost all servers, PCs, laptops, tablets, and smartphones, regardless of manufacturer or operating system.  
Protecting NetDocuments Servers
Like most modern computers, NetDocuments’ servers are potentially vulnerable to Meltdown or Spectre exploits because they use CPUs which contain the design weaknesses.  However, these vulnerabilities can only be exploited when an attacker can run their code on a targeted server.  The ability of an attacker to reach a NetDocuments server and run exploit code on the server is thwarted by the following defenses and controls:
  1. 1. NetDocuments operates a completely private cloud Service; the Service only runs NetDocuments code on NetDocuments servers.  NetDocuments is not a public cloud and therefore is not susceptible to these vulnerabilities in the same way as public cloud infrastructures.
  1. 2. Exploiting either Meltdown or Spectre would require an attacker to already have access to a NetDocuments’ server, have the ability to get malicious code on the server, and be able to execute the malicious code.  This is true with any vulnerability.  These newly exposed vulnerabilities do not present additional risk to NetDocuments’ infrastructure beyond any other vulnerability.
  1. 3. NetDocuments’ servers only run code engineered by NetDocuments and vendor code that has been reviewed and confirmed.
  1. 4. The NetDocuments’ Service does not allow end-users to upload executable files, through the primary NetDocuments interface, and each file uploaded into the Service is immediately encrypted, making each encrypted file completely inert.  Further, all documents in the Service are protected with encrypted encryption keys (wrapped keys).  Master encryption keys and customer managed encryption keys are stored in Hardware Security Module (HSM) devices.
  1. 5. NetDocuments’ servers are purpose built and are highly segregated to enforce server separation of duties.  An attacker would have to penetrate multiple layers of security and segregation to have any attack provide valuable data.
  1. 6. NetDocuments only installs servers using audited and tested automated deployment mechanisms.
  1. 7. By policy and technology, NetDocuments does not allow administrators to browse the web or perform other “desktop” activities from NetDocuments’ Production servers.  This reduces the possibility that a NetDocuments administrator could introduce malicious code to a server.
  1. 8. NetDocuments’ servers are all behind Web Application Firewalls, traditional layer 7 and layer 3 firewalls, and load balancers.  None of NetDocuments’ servers are on IP address spaces that are directly addressable through the Internet.  Only NetDocuments’ load balancers are accessible from the Internet and connections to them are protected by state-of-the-art firewalls which are tightly controlled and monitored.
  1. 9. Customer documents are Erasure Encoded and stored across multiple, geographically separated data centers across multiple storage nodes within the dispersed data centers.  Larger Customer documents are mathematically sliced and segregated so that no single data center holds enough document slices to reconstruct these customer documents.
It is possible the Meltdown or Spectre vulnerabilities could be exploited on other resources customers have chosen to use for optional NetDocuments services, such as Microsoft Azure services, but NetDocuments has confirmed Microsoft has already patched the Azure infrastructure.   
Protecting PCs, Laptops, and Other User Devices
The most vulnerable place for most NetDocuments’ customers will be their own user devices.  In theory, a browser running Javascript code from an infected website could exploit the Meltdown or Spectre vulnerabilities to compromise other software running on the same device, including NetDocuments client software.  NetDocuments encourages its customers to conduct a risk analysis of their environments and follow their own security best practices for protecting user devices.  Any of our customers who are running processes on a shared server architecture (where the server is also running code the customer doesn’t control) should also make sure that their hosting vendors are following security best practices.
The NetDocuments Service architecture provides optimal protection of customer documents from both internal and external threats, including the Meltdown and Spectre vulnerabilities.  Please contact a NetDocuments representative for more information.