Ian Eyberg is the founder and CEO of NanoVMs, a company that's revolutionizing cloud security through unikernel technology. With eight patents in unikernel-related technology and grants from prestigious organizations including the USAF, DOE, NSF, and DARPA, Eyberg is at the forefront of this innovative approach to cloud computing. We sat down with him to discuss how unikernels are changing the landscape of cloud security.
Q: Let's start with the basics - what exactly are unikernels?
A: Unikernels are single application virtual machines that run one and only one application. While you might be familiar with virtual machines running on VMWare vSphere or in public clouds like AWS, unikernels are fundamentally different. Unlike traditional VMs that contain a full Linux operating system, unikernels are built to run just one application. This actually aligns well with how most cloud virtual machines are provisioned today, as many applications don't fit on a single server to begin with.
Q: How does NanoVMs' approach differ from traditional Linux-based virtual machines?
A: The differences are quite significant. Our operating system, Nanos, doesn't have users or passwords, nor does it have functionality for administrators - or hackers - to log into the machine remotely. This is crucial because an attacker's primary goal once they access your system is to run their software, whether that's cryptominers or ransomware. And while some might think ransomware attacks can be solved through insurance, the reality is devastating - most small to medium-sized businesses don't survive beyond a year after such an attack.
Q: Can you elaborate on the security benefits of unikernels?
A: The security benefits go well beyond the absence of users and passwords. Unikernels, by their very nature, cannot run other programs on the same system as the intended application. This forces attackers to go to great lengths to do anything of consequence. Even if you have vulnerable software, NanoVMs neutralizes the vast majority of exploit payloads because the systems simply don't have the capability of running other software.
The reduction in code size is dramatic compared to a normal Ubuntu server - we're talking about going from tens of millions of lines of code to tens of thousands. Hundreds of libraries are reduced to single digits, thousands of programs are reduced to one, and hundreds of running processes are reduced to one.
For regulated industries, we've found up to 30-40% reduction in security controls in frameworks like NIST 800-53 and NISTIR 8176 compared to other deployment methods.
Q: How do unikernels compare to containers, which have become increasingly popular?
A: While containers have gained popularity for software deployment, their security posture often takes a back seat, which can worsen existing security issues. Containers can break well-known boundaries in cloud systems by spreading the attack surface across many servers, and they frequently experience "container breakouts" that give attackers free reign over your infrastructure.
From a performance perspective, containers run on top of orchestrators like Kubernetes, which run on top of existing Linux systems. This layering heavily degrades networking and storage performance. In contrast, NanoVMs replaces Linux entirely, so we don't just run faster than containers - we run faster than Linux itself.
Q: What are the business benefits beyond security?
A: While security is a major advantage, businesses also benefit from simplicity, improved performance, and cost savings. The unikernel's single-process deployment mode typically results in higher throughput, lower latency, and higher requests per second. For engineers, these are exciting metrics, but at scale, they translate into significant cost savings for the business.
Q: Looking ahead, what role do you see unikernels playing in the future of cloud computing?
A: Today a lot of companies are overwhelmed by many things when it comes to cloud. The security issues are non-stop and require teams of vulnerability management response. CFOs are concerned about cost and end-users find existing tooling far too complex. For many applications one does not need to deploy a full blown general purpose operating system such as Linux and then manage it when you are already in a virtualized environment – that is the ‘server’ instance is actually not real. This might be necessary if it was a real server but it is not and that is already fully managed by the clouds such as Amazon.
While unikernels are not a magic wand they deliver major benefits in these areas to the extent that we think many cloud workloads will be provisioned as unikernels in the future.
Q: Can you share some specific examples of how organizations have successfully implemented unikernels and the results they've achieved?
A: Sure, we have one company that’s been working with us for several years that does accounting and ERP software. They deploy to all the major public clouds and also manage software that is installed at their numerous customers locations. Using the Nanos unikernel they were able to standardize on a default security posture that both eliminates a large range of attacks and neutralizes many exploit payloads.
Another customer in the blockchain space needed high performance coupled with a strong security base so NanoVMs was a natural fit. We worked with this customer to provide them access to on-premise GPUs. We had initially added support for cloud based GPUs but this team needed access to consumer-grade GPUs they had already purchased and were managing themselves in their colo.
Q: How does NanoVMs address the challenge of legacy application migration to unikernels?
A: Legacy software can come in many shapes and forms and different methodologies can be used to migrate it into a unikernel. Sometimes patching is an option. For instance, we patched PostgreSQL by converting its inherently multi-process architecture into multiple threads. Other times migration can be as simple as setting the right configuration.
Q: What are the current limitations or challenges of unikernel technology, and how is NanoVMs working to overcome them?
A: There are typically a few challenges that organizations will have when wanting to run their existing software as unikernels and thankfully we can help with both. First, if an organization is just using off-the-shelf software and didn’t actually write it themselves, packaging can be challenging as someone has to configure it correctly. NanoVMs and its community provide an ever-expanding universe of pre-made packages that our users can use.
Secondly, most organizations have existing practices and methods to deploy software to their preferred hosting environment. This might include various integrations with security software, application performance monitoring software, CI/CD systems, deployment and orchestration software, etc. We have worked with these organizations in the past to implement these integrations. One of the many benefits NanoVMs customers have over free users is that besides getting access to ad-hoc services they get to drive a lot of product development. We have so many product requests that we tend to only work on things that are coming straight from a customer.
Q: What advice would you give to organizations considering unikernels for their cloud infrastructure?
A: For software and DevOps engineers interested in getting started with unikernels, you can download NanoVMs' open-source software at nanovms.com. This will allow you to build and run common software locally and push it to the cloud. NanoVMs supports deployment to all major public clouds including AWS, GCP, and Microsoft Azure, as well as private clouds via OpenStack or VMWare vSphere.
For those in security roles or others not directly involved in application deployment, we recommend contacting NanoVMs to learn more about how unikernels can benefit your organization.
Leave Your Comment Here