News, news analysis, and commentary on the latest trends in cybersecurity technology.
A Database-Oriented Operating System Wants to Shake Up Cloud Security
The operating system, DBOS, natively uses a relational database to reduce cost, ease application development, and maintain cybersecurity and integrity.
March 25, 2024
Is it possible to replace Linux as the heart of serverless cloud computing services? That's exactly the intention of a startup consisting of developers from the open source Postgres database project and data management firm Databricks and computer scientists from the Massachusetts Institute of Technology, Stanford University, and UC Berkeley.
The company, DBOS, which announced $8.5 million in seed funding on March 12, aims to simplify the current complicated stack necessary for cloud development by replacing Linux containers with its own data-centric operating system (OS). The OS tracks its state in database tables, natively supports parallelism, and simplifies security by using native database access controls. The focus on data will also allow better compliance and provenance guarantees, with comprehensive logging allowing support for data integrity, according to the company.
The simpler architecture and native logging capabilities of the OS allow for a reduced attack surface area and greater ability to detect anomalies that could indicate an attack, compared to the aging Linux architecture, says Michael Coden, president and co-founder of DBOS.
"The number of state variables that you need in a modern application is a million times more than three decades ago" when Linux was created, he says. To make Linux work for cloud applications, "we've added containers on top of Linux, and we've added Kubernetes on top of the containers to orchestrate them, and we've added workflow orchestration because Kubernetes is so hard to use. It's a complex thing, which ... is really insecure because there's so many moving parts."
DBOS aims to change that with its eponymous operating system, which was created by a group of researchers from MIT and Stanford — one of the founders is now at UC Berkeley — and targeted at simplifying data-centric serverless architectures. In a 2020 paper, "DBOS: A Proposal for a Data-Centric Operating System," the researchers stated that they expect serverless and machine-learning applications to benefit from such a purpose-built operating system.
The OS is a bet on a serverless future, where enterprise customers pay only for the extent that they use services. Most companies are at least experimenting with the approach. More than 70% of organizations using Amazon Web Services also use the platform's serverless capabilities, while more than 60% of Google Cloud customers and about 49% of Microsoft Azure customers use those platforms' serverless functions, according to a Datadog report, "The State of Serverless," published in August.
Better Living Through Databases?
DBOS aims to make serverless simpler to deploy and more secure. The OS puts at least one relational database management system (DBMS) running on a microkernel at its foundation. The file system, OS utilities, and process scheduling all run on top of the database layer, with most utilities written as stored database procedures.
Overall, the architecture provides significant performance gains for data-intensive applications, says Qian Li, architect and co-founder at DBOS.
"We did very extensive benchmarking between the current stack — the serverless stack — and the DBOS way, and we found that we are 100 times faster and more scalable," she says. "We co-locate your application with the database, which reduces unnecessary round trips [when an application has to call for more data] and also makes it very scalable ... we can easily scale an application to many, many servers."
The cybersecurity of a serverless platform is often difficult to assess because customers often lack visibility into the underlying stack. If a technology, such as DBOS, can change that, it could attract compliance-driven applications, says Aradhna Chetal, senior director executive for cloud security at financial services organization TIAA.
"In a shared responsibility model, with application security ... being the tenant's responsibility, it’s a bit challenging to demonstrate the end-to-end security of the implemented application — especially for a regulated environment," Chetal says. "Auditability can be challenging to demonstrate without end-to-end controls. Simplicity is always a friend of security, and ease of use always provides for better user experience, in general."
Betting on the Secure Future of Serverless
Those advantages may not be apparent to end users. Serverless functions hide the back-end infrastructure — such as containers, virtual machines, OSes, and application stacks — from the developers who use the services as part of their applications.
To sell customers on the advantages of using DBOS, serverless features based on the OS need to provide a tangible benefit to the end user, says David Linthicum, an independent cloud analyst and consultant, who estimates that only 5% to 10% of the codebase for the average cloud applications has been replaced with serverless functions.
While serverless functions may add performance, memory, and security benefits, those improvements typically reward the provider, not the end user, who may not see any changes, he says.
"A lot of these features are baked into the cake," Linthicum notes.
In addition, while startup DBOS has published a software development kit, the DBOS operating system is closed source, which could limit adoption and make gaining adherents more challenging, especially when open source Linux works well enough.
Yet security could be a differentiator, says DBOS' Coden. In some simulations using previous attack data, DBOS queries could detect an attack in seconds, compared to hours for the original attack, he says.
"There's so many fewer moving parts, and there's so many fewer places for attacks, as the attack surface is really minimal," he says. "The name of the game is, 'How do I keep my business running and prevent damages?' And if it's by the ability to rapidly respond, recover, and restore, that's equally as good as prevention."
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024