Spectre and Meltdown: Performance Impact Analysis
The New York Times, Wired, and the National Enquirer say that computer performance can be impacted by as much at 30%!! THIRTY WHOLE PERCENTAGE POINTS! That's Two! Whole! Digits! Also, Bill Gates is personally reading your e-mail! I love hype, don't you? The media is seriously loving on that 30% figure. Let's talk real-world expectations. I'm transitioning to Q&A format again because that seemed to work well last time. Also, a few clients of ours asked some really good questions.
Why are fixes for Spectre and Meltdown going to impact system performance?
The vulnerabilities are present in the CPUs of all modern computer systems, in the chips themselves. The fixes don't correct the problem, they work around it by forcing software and operating systems to work differently, avoiding those hardware instructions that are vulnerable to attack. Ironically, these workarounds make the processor work harder than before, since running task workarounds through software is much more taxing on a CPU than running them straight through the native processor hardware.
To make matters complicated, owing to the slightly different architectural nature of what a server does, Windows Server operating systems need additional mitigation work done to them in addition to the installation of the Microsoft updates. These additional mitigations mean that servers will, chip-for-chip, be more impacted than workstations and laptops.
What sort of performance impact will Spectre and Meltdown patches and workarounds have on my business?
Too often, the vague cop-out answer is also the most accurate one: It depends. That said, we've conferred with other industry professionals, run some tests, and done a bunch of research. Here's what we've seen so far:
Servers that perform lots of I/O operations (e-mail and database servers like Exchange and Microsoft SQL) will be affected more. File servers, application servers, and domain controllers are less likely to notice an impact. Either way, everybody's servers will simply have to work harder to get the same things done. Overall impact will depend a lot on how the server is configured in the first place; if a five-year-old database server is running flat-out at 95% CPU utilization before mitigation patches, it's going to have a tough time at life. But a fairly-recent, beefy server that never uses more than 50% of its CPU capacity will probably be okay. If we built your server in the last three years, it’s probably been configured with ample resources to deal with unforeseen demands (like these!).
Workstation (desktop or laptop) impact is pretty much going to depend directly on how old the computer is. The older the computer, the slower the processor, the more time it takes for it to work with these workarounds. The exact degree of impact again depends both on system configuration and how end users use their systems. If your PC is newer than about 2015, the impact should be minimal. Computers made from 2013 to 2015 might see a light impact, and those made before 2013 will probably notice a moderate speed and performance impact. Close those extra browser tabs; it'll help, trust me.
If your systems are older than 2014, you should probably replace them anyway. If you're used to an old system, you really will be astonished at the performance of a brand-new computer. Rumor has it that Suite3 resells servers, workstations, and even laptops! Contact firstname.lastname@example.org for a quote.
When can I expect these updates to start affecting performance?
If you receive windows updates through a patching agreement with Suite3, they'll start showing up in your environment this week per your regular patching schedule. If you aren't set up to receive our patches, Microsoft, Apple, and other operating systems have already issued them to the general public, and your computers will get them according to whatever internal schedules they're running on.
Both applying and not applying these updates is a concern. How do I determine what is best for my company?
Let's take into account the fact that this vulnerability still must execute malicious code against a vulnerable system. Best practices remain in play: Don't use administrator rights when user rights will do. If your users are local administrators on their respective systems, you may want to re-think that policy. Don't download anything from the Internet not from a very trusted source. That all should all be done anyway. Take care in the software you and your staff execute, even if you're patched.
Also, remember: Computers weren't always this fast! We're a little bit spoiled now, aren't we? This may be a penalty that we simply have to live with for a while. Take a slightly longer coffee break, talk to your cube neighbor. Take comfort at least in the fact that you're not alone, that the entire industry (indeed, practically everyone who owns a computer) is collaborating on and facing down the same issues.
All that taken into account, slow computers are still worlds better than stolen information. Patch and update your systems if you can.
My application vendor told me not to apply updates to our server until they finish testing.
If we deliver your updates, we can exempt one or more servers from receiving these updates until their testing is complete. If you do this, you won't receive any security updates at all until we rescind the exemption. Send us a service request at email@example.com to have this done.
If my system(s) are slow to the point that it's impacting business, what can I do?
Send us a service request to have us take a look at your environment and, if needed, roll back the patches and updates. This is a last resort. Keep in mind that slowdowns and sluggish behavior happen for other reasons too, and we can't necessarily blame Spectre or Meltdown mitigation for everything.
In summary: Keep Calm, Compute On. And if needed, take slightly longer coffee breaks.