The Time for Unikernels is Now

In this episode of The View With Vizard, NanoVM CEO Ian Eyberg explains why the time to employ unikernels to make IT more secure has arrived. The video is below, followed by a transcript of the conversation.

[Intro music playing]

Announcer: This is Digital Anarchist.

Michael Vizard: Hey, guys, thanks for the throw. We’re here with Ian Eyberg, who’s the CEO of NanoVMs. We’re talking about unikernels and container security and all kinds of new technologies. Ian, welcome to the show.

Ian Eyberg: Hey, thanks for having us.

Vizard: I’m not sure everybody knows exactly what a unikernel is, and I’m not sure even those who think they know what it is got it right. So can you just explained what is a unikernel and where does it fit in the landscape of things?

Eyberg: For sure, and that quip about not even knowing if they think they know, it’s pretty true. So yeah, a unikernel, at the end of the day, it’s just a way of packaging and delivering software as one single unit. So we take one single application and deploy it as a virtual machine. That virtual machine is only running that one piece of software. There’s literally nothing else on it. There’s no Linux. There’s no Kubernetes. There’s no containers, nothing of that sort. So the end result is that it runs a lot faster and it runs a lot safer, not just containers but also just Linux by itself. It runs faster, so.

Vizard: We’ve been talking about unikernels for a while. What do you think is the big challenge in getting people to wrap their brains around it to actually implement it? And why aren’t we seeing more of it?

Eyberg: Yeah, so you’re right. There’s been a lot of – you know, back in maybe 2013, 2014 there was a lot of academic papers that came out. They’ve still been coming out, by the way. And you know, back then, all the way for, you know, maybe a year or two ago, the tooling around them was just way too brittle to handle. So if you weren’t like a kernel engineer, you basically weren’t going to be able to play with them because you had to be at that level to kind of work with them. So tooling has long been kind of a challenge, but you know, that’s something that we’ve been working on with some of the opensource that we work with.

But the other thing is just market awareness. I mean, I can walk down the street of San Francisco and find somebody wearing a black hoodie and ask them, “Hey, have you heard the term unikernel?” and chances are they might not have even ever heard of it before. So market awareness is definitely another key issue.

Vizard: So what exactly do you guys do in this landscape? What exactly are you providing? If I engage with you as an enterprise, what do I get?

Eyberg: Sure. So we work on Nanos, which is a unikernel. So there’s like ten different unikernel implementations out there. Some of them have corporate backing, but most of them remain in the realm of research and academia. And so that’s one reason why they don’t get a ton of adoption, ’cause there’s really nobody that you can pay to, like, work on it. So – which turns out to be, you know, a challenge. If you’re gonna adopt some new technology and you don’t even really know much about it, let alone how do you fix a bug or something, you need to be able to turn to somebody. And so that’s what we do, is we provide support plans for using it. The software itself is opensource, though. So like Nanos you can find at Nanos.org. Ops is another opensource project that we have. And so you can use that to your heart’s content. It’s free as in beer and free as in free speech, so.

Vizard: And who drives this conversation? Is it the developers or is it the ops people or the security people that are showing up going, “Hey, we should be playing with unikernels a little bit more”?

Eyberg: So our end users are DevOps, SREs, that kind of category, sys admins, you know, depending on your age. So yeah, those are the end users, developers to a degree but usually it’s the people that are deploying software, managing the software, you know, doing the monitoring, doing all that sort of stuff.

Vizard: Hmm. And do you think that – we’ve seen a rash of security issues lately. They are countless. There’s misconfigurations. There’s all kinds of headaches going on. Do you think that that’s creating something of a moment in time where people are thinking about, hey, maybe we need another approach?

Eyberg: Yeah. Well, I mean, you know, security is – you’d think with the amount of money that’s sloshing around in the cybersecurity sector that computer security would actually get better, but it seems to just be getting worse. You know, we can’t go a single day or week without some new data breach or ransomware attack or, you know, crypto-jacking or – I mean, it’s insane. I mean, well, two weeks ago the BOA CEO said that they spend over a billion dollars on cybersecurity each year, like a billion dollars by one company. And then that exact same week that the CEO said that, McDonald’s was hacked. [Laughter] So it was – I mean, it’s a mess. And you know, people talk about DevSecOps and so forth, but you know, there’s still a lot out there that is just not being touched at all.

I mean, speaking of DevSecOps, you know, if you look at Linux security in particular, a lot of that ransomware stuff is traversing on Windows systems, you know, desktops and stuff like that. But when you go look at the Linux world where, like, all the server code is residing, there’s really almost nothing security-wise out there, which is kind of interesting.

Vizard: Speaking of DevSecOps, is it realistic to train developers to learn all this security stuff and hope that they’re gonna solve all our problems? Or do we need some way to automate this in a way that doesn’t require every developer to be perfect every time?

Eyberg: Yeah. So I’m definitely in that latter camp. [Laughter] You know, developers make mistake. They do – you know, they write bugs all the time. You know, it’s just a fact of code. I mean, like, we’re human. We write bugs. And so you’re never really going to get these nice little milestones just by packing on more and more people into your SOC or things of that nature. I think that’s the completely wrong approach. In my opinion, the underlying infrastructure, the underlying software needs to be hardened in a better manner than it’s been done. And so there’s fundamental changes, I think, that need to happen.

You know, if you – and this isn’t like a new idea either. You know, you can go back to the mid-90s and the L0pht was saying – you know, a famous hacker group was saying the exact same thing. They were saying the underlying software has got to be fixed; otherwise the stuff will continue to happen. And, you know, they’re right, and it’s now 25 years later and same thing, so.

Vizard: We see a lot of containers these days. Do you think people have a false sense of security around containers ’cause they’re like –

Eyberg: Absolutely!

Vizard: _____ _____ running for a little bit of time and no one will find it.

Eyberg: Absolutely. Just the name itself, contain, gives people this impression that it’s somehow a security primitive, and it has no security primitives. And in my view, it actually makes some security worse than, say, just a plain vanilla Linux VM because on that, you know, the VM is a very well-defined security boundary. You know, if I pop a root shell on a Ubuntu box and now I have access to that server, but I don’t have access to another server immediately. Now I’m going to have to figure out how to hack that other server.

Containers completely break this, because if I own a container in like your Kubernetes cluster that spans multiple servers, now I have access to everything. And so that’s a really, really big problem because it’s just fundamentally broken that barrier that used to exist. So that’s my opinion.

Vizard: It seems like the bad guys have figured out how to jailbreak containers and get into the whole host system as well, and maybe that’s gonna force a bigger conversation. We’re just waiting for some disaster to happen.

Eyberg: Well, I mean, we already have disasters happening. [Laughter] So it’s – you know, I mentioned crypto-jacking. That’s probably the most favorite of attackers that want to do stuff. You know, you look at the rise of the cryptocurrencies and their prices. You know, that’s one factor, but the other factor is that the software supply chain itself is – you know, it’s not like it was 10 or 15 years ago. Nowadays, you know, the smallest companies might include, like, hundreds or thousands of third-party software into the application that they’re writing and then push it out. And this software gets updated all the time, you know? Every new release they might have new software from those hundred different third-party packages. All it takes is one of those to be – you know, put some malware into it and you’re gonna have a bad time.

You know, actually just a few days ago there was a really interesting exploit on Google Cloud that came out where it basically allowed people to get remote _____ on any VM in Google Cloud. And people were kind of downplaying it and they were saying, “Well, it’s not so bad because you already have to have access to one VM inside the organization to begin with.” And, you know, I was trying to point out that that’s actually relatively easy to do through the software supply chain, you know? That’s how you get your initial foothold. And so once you’re there, you can attack whatever you want.

Vizard: You’d think – a lot of people I talk to, they think of crypto-jacking as kind of a nuisance crime, you know, and it’s stealing CPUs from the cloud provider. So do you think we’re just not taking things seriously enough?

Eyberg: Yeah. Maybe they want to chat with their CFO, though, before they say that. [Laughter] You know, I would agree. A lot of people do look at that as kind of a nuisance crime, but you know, at the same time it’s not like a problem that’s getting better. It’s just getting worse. And, you know, what might be a nuisance to an ad company or Uber or somebody like that, you know, that’s very different than say a hospital that’s delaying its ambulances because their computers are down and they’re having to resort to techniques they used 30 or 40 years ago. So I can’t say it’s a nuisance crime in all respect there.

Vizard: What’s your best advice to people about how to get started with unikernels, where to begin? I think some folks just feel a little intimidated by the whole thing.

Eyberg: Oh, yeah, for sure. I mean, well, it’s new technology, right? And then, too, is, like, there’s just not a ton of awareness in the form of, like, third-party blogposts and so forth and portals and so forth. But yeah, for – you know, if you wanted to get started and you just wanted to deploy something to try it out, Nanos.org, N-A-N-O-S, which is the unikernel we work on, again it’s opensource. You can download it in like a half a minute, and then push out your first, “Hello, world,” and you can push it to Amazon in 20 seconds or Google in 20 seconds, so it’s very easy to get started. And I think that’s also kind of the best way of learning about it, is to just try it out. You can read all the tutorials out there. You can read all the blogposts. You can watch this show. You can do all that, but you’re really never going to get an idea of what these things are until you actually try them out, so.

Vizard: All right, well, I guess the revolution’s gonna start with this show. What do you say?

Eyberg: There you go. [Laughter]

Vizard: All right. Hey, Ian, thanks for being on the show.

Eyberg: Yeah, thanks for having me.

Vizard: All right, back to you guys in the studio.

[Outro music] [End of Audio]

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1615 posts and counting. See all posts by Mike Vizard