Finding security where applications and operating systems meet


It hasn’t happened in retail yet, but the growing number of applications running on servers kept at individual stores are exposing retailers to a new vulnerability that hackers could exploit.

That’s the conclusion of security expert Ian Eyberg, founder and CEO of NanoVMs, a provider of server protection that uses “unikernels.”

Unikernels run single programs on operating systems that run on individual virtual machines, which run single applications inside a computer as if each was a separate computer. Servers can run multiple virtual machines. Eyberg says the technology can be thought of as the merger of an application and an operating system.

Typically, software running on virtual machines is on a traditional operating system such as Linux or Windows. Because of that premise, software running on a store’s server with multiple applications can be hacked, as point-of-sale software has been.

Eyberg says unikernels make it possible to isolate each software program into its own virtual machine, separating it from a server’s legacy operating system.

“For retailers, once their store servers are hacked, that’s it,” he says. “Once inside an operating system, it’s very easy for a hacker to go from host to host, server to server.”


Keeping servers in hundreds or even thousands of stores and warehouses makes them very susceptible to hackers, Eyberg says.

“If a hacker can get into even one insecure application, like the software monitoring wireless thermometers on refrigerators and freezers, they are then inside the server with access to the operating system and, more importantly, the network, and can now take whatever data they want — pilfering QuickBooks data, payroll data, employee IDs,
et cetera.”

Sensors like wireless thermometers have existed for a long time in retail, “but the big change is that instead of reporting home to centralized servers that have much more security, all that data is remaining on-site, consumed by software on-site, less securely protected. That’s what makes it a new danger,” Eyberg says.

“People can use unikernels as a new safer way to deploy server software,” he adds. “When a hacker realizes that a retailer has that, it takes away the incentive to hack because they can’t take over a server to do whatever they intended to do because of the single program isolation.”

Software that runs on servers deployed to a cloud data center is more secure than software deployed to servers kept on-site, says Eyberg. He cites Amazon, which he notes has 56 servers, employing some 20,000 engineers to provide the security that thwarts hackers.

In comparison, a large grocery chain “might have north of 500 engineers providing security, they’re covering a much larger universe, approximately 2,700 stores — 2,700 physical locations,” he says.

“I guarantee there are vulnerabilities at those physical locations. Anytime you add new computers on a site, there is an increased attack surface. Securing the software in data centers in those on-site servers becomes a much bigger challenge, and it requires a lot more security.”

To be able to replicate the security that Amazon can create for its 56 physical data center locations, he says retailers would need an enormous number of engineers who would monitor each of their many server locations in all their stores, which would be very expensive.

Eyberg suggests unikernel technology as an alternative.

“Instead of hackers being able to run their programs on someone else’s system, with unikernels that becomes much more difficult,” he says.

“It doesn’t have the capability to allow that because it’s only possible to run one application on one operating system in each virtual machine. If a retailer wants a new application to run new software, they just run it on another virtual machine.”


Deployment is relatively simple and direct: Eyberg says retailers don’t need to buy new hardware. There are several unikernel tech companies retailers can partner with, including NanoVMs.

Another alternative would be for the retailer to hire more engineers to oversee their servers, which Kroger seems to be doing with plans to double the 500 engineers they now employ over the coming year, Eyberg says.

But, he adds, engineers are paid between $150,000 and $200,000 each in the Bay Area. In comparison, NanoVMs offers retailers a license per server that can run thousands of virtual machines per server.

Once a chain has authorized the project, installing the software and getting it running does not take much time. “Once all the nontechnical procedural work is done,” Eyberg says, “we can get stores up and running in a week or less without disrupting existing, ongoing procedures.”

Savings come from not needing to spend “millions” on engineer salaries and from eliminating the need to buy security software to scan what’s happening inside their servers, which can run as high as $20,000 a month for some software, he adds.

After the first month, “if they don’t need to pay salaries to engineers or pay for security software subscriptions, companies will immediately see a return,” he says.

“If Facebook, one of the biggest companies out there, can be sued for billions of dollars because of data breaches, then companies not really focused on technology are not immune.”

Photo credit: Gordondenkoff/


Comments are closed.