Why you should know where cloud vendors get their infrastructure from. It matters.

A recent e-article came across my screen titled “Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?”

Why does this matter? It matters because Supermicro ranks as the 3rd largest supplier of servers in the world. How did Supermicro become so dominate?

In the original Bloomberg article about this issue I found this rather interesting statement:

“Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Who are some of these organizations that have knowingly accepted “Satan’s bargain?” The articles highlight how Supermicro rocketed to become the 3rd largest supplier of servers with the help of major OEMs and cloud service providers (CSP) such as Amazon Web Services (AWS) and Apple.

According to Supermicro’s (08/03/17)  Corporate Fact Sheet;

“Supermicro ships to more than 700 customers including distributors, value added resellers, system integrators, and original equipment manufacturers (OEMs) as well as through its direct sales, in about 80 countries…”

At Egenera, we don’t make “Satan bargains” to lower our costs. We assess and analyze our technology providers with reliability and security as the top metrics. Our partners and their customers deserve our stringent infrastructure selection due diligence. It’s not just about cost.

When you shop for a CSP you need to make sure you ask the right questions including where the CSP’s infrastructure is manufactured. Take a look at question # 4 in our popular CSP Assessment Checklist. When it comes to IT infrastructure; whether in the cloud or on-premise, the manufacturer does matter.

For detailed information about our cloud infrastructure just send an email to info@egenera.com or fill out the online “schedule a demo” form. We’ll be in touch shortly!

Share this:

One Comment

  • Scott Harris says:

    With the numerous denials from Apple, Amazon, and of course Supermicro the original report has become a very hot topic for debate in the IT community. In the past few weeks I have had conversations with customers and peers alike about how they are inspecting motherboards, replacing systems, and other serious reactions to the news. Other conversations have focused on how this is a well-designed witch hunt to decrease US market share for Supermicro. In my mind the jury is still out here with no new news for the past few weeks nor a retraction; despite demands from many tech leaders.

    Clearly getting to the truth behind this story is a big deal for Supermicro. Their stock continues to be trading significantly lower since the announcement. That said I do not think the IT world should be so focused on this one story. We should be taking this as a reminder of the importance around sourcing technology as a whole.

    The fact is that for something like a “spy chip” to get inserted into a server, as it is alleged in this case, is on the far end of the difficulty scale. In conversations with colleagues in and out of Egenera most agree that given all the right circumstances something like this could happen. However almost all of them point out how much more likely it would be to find backdoors in software. So what does that mean for the infrastructure we rely on? It means we need to have renewed focus on the potential of vulnerabilities from any supplier, especially software.

    Backdoors can come from anywhere, not just a nosey government. Major switch suppliers have patched items even this year that have been associated to reports of hardcoded accounts. Other software backdoors have been attributed to hacks for many high profile breaches such as the one at Equifax. Variations of SSH, OpenSSL and other common packages have also had patched to eliminate backdoors in the last year or two. Let’s also not forget that the industries propensity to open integration with widely published APIs adds yet another angle of attack for those with malicious intent. We have seen a number of these, most recently perhaps the one published by WIRED last month where the AWS API can provide a way to circumvent logging intended to track hacking attempts.

    So what I mean to say Marc is that I strongly agree with the title of your post. We all need to be mindful of where we source our infrastructure. Does not matter if it is a chip, some code, or a undocumented root account a vulnerability does not have to be injected by a 3rd party. In conjunction with regular patching, testing, and locking down access, being smart about picking our technology sources is another part of minimizing the exposure to cyber attack.

    Sometimes price, although important, needs to take a back seat to a how much you can “trust” the source.

Leave a Reply

Your email address will not be published.