It’s been one year since Equifax and has anything changed?
If you’re in the financial sector chances are your answer to this question is a resounding “No.”
You see, many of the attacks from the past few years, including those against companies like Equifax, Target, Anthem Health, Under Armour, to name a few, stem from vulnerabilities deep within the Linux operating system. Invented back in 1991, Linux is the operating system that runs the lion's share of the world's cloud servers and cyber-attackers have had decades to school up on what are known as "remote code execution exploits" to wreak havoc.
Remote code execution exploits allow bad actors to tap into what is effectively the central nervous system of a company's cloud infrastructure (which all run on VM technology), execute remote code (read: malware) and then steal or encrypt a company's data, including but not limited to customer addresses, phone numbers, credit card details and perhaps even footsteps, as might be the case with a company such as Uber.
Assuming you're familiar with software container solutions such as Kubernetes, you understand that while these fast, lightweight systems are touted by many as the next major step for cloud infrastructure, they fall far short of delivering the security required to prevent the next major breach. The need for speed and media attention driving their popularity has only led to a false sense of security that I fear may only exacerbate existing systemic vulnerabilities. Recent Kubernetes data breaches at Tesla and Weight Watchers are just two examples of this.
The Problem with Existing Cloud Infrastructure? Linux.
Whereas the majority of tools today focus on endpoint security (phishing, intrusion detection and mobile device management), companies must recognize a need for more modern server-side operating system architecture than Linux if they truly wish to secure their data and deploy agile systems at the same time.
How do we do this? I believe the answer lies within the benefits of a little-known and often misunderstood technology called the “unikernel.”
Widely considered to be the next generation of cloud infrastructure, a unikernel is an application that has been boiled down to a small, secure, light-weight virtual machine. Typically weighing in at ~30mb in size, unikernels rely on a single-process system, feature no operating system, no users and no shell, rendering ransomware, remote code executions and ‘in memory’ attacks effectively useless.
Explore A Single-process System
Linux and Windows are both multiple process systems that were designed decades ago and could not envision the cloud environment we live and work in today.
Unikernels, on the other hand, are single process systems. They only build the necessary functions from the OS in at the time of compilation, rather than during startup. In terms of infrastructure performance and security, this means that not only do unikernels empower servers to run 20-30% faster, they also can not run code that was not intended to run.
Remove User Access
Enterprise organizations are only as strong as their weakest link. In the case of financial institutions, and enterprises alike, these weaknesses arrive in the form of millions of admins, clients, executives and partners engaging with vast amounts of potentially sensitive data from many parts of the world. Traditional operating systems like Linux and Windows provide user logins that make it possible for these transactions to happen, enabling would-be bad actors to find vulnerabilities, break into insecure system frameworks and carry out malicious attacks.
A unikernel, on the other hand, offer no user login. This simple design change prevents hackers from logging in and executing arbitrary code into a server operating system, eliminating many of the vulnerabilities that come along with user access.
Scrap the Shell
In simple terms, shells are the program that allow ad-hoc commands from a user to an operating system. One needs to look no further than the data breaches mentioned previously to recognize that the shell is an antiquated concept that only lends its’ hands towards those who want to do your company harm.
Unikernels minimize the size of an application to a fraction of it’s usual surface, denying bad actors of the very tools they’ve been using to deploy ransomware in the first place.
A Reduced Attack Surface
A Linux system that has hundreds of millions of lines of code with drivers for everything from USB drives to audio drivers to libraries such as libxslt that have FTP servers embedded in them.
Unlike Linux, unikernels use a fraction of the code of the operating system, relying on only the most critical elements to the processes required by the application. As a result, unikernels are able to provide a greatly reduced attack surface that significantly limits the amount of code that can be exploited.
Ultimately, if financial institutions hope to avoid another Equifax we need to strip cyber-attackers of the very tools they’re using to infiltrate our cloud infrastructure. By adopting unikernel cloud infrastructure, financial institutions have an opportunity to better protect their sensitive data stores and prevent the next major data breach from taking place.
Josh Pasqualiniis the Account Development Representative atNanoVMs