Defining Container Isolation for the Multi-Tenant Cloud Era

Why The Current Isolation Definition Falls Short

Traditional container technologies provide what we call "weak isolation" - controls implemented within a shared kernel. Despite layers of protection through namespaces, cgroups, and security policies, these approaches remain vulnerable to kernel exploits. Between 2022 and 2024 alone, seven significant container escape vulnerabilities were discovered, each exploiting the fundamental issue of shared kernel state.

For many applications, especially single-tenant or non-public-facing workloads, weak isolation combined with other security practices may suffice. But for organizations handling sensitive data or offering multi-tenant services - the landscape has changed. A higher standard is needed.

Introducing Strong Isolation

We propose defining strong isolation as: workloads with no shared kernel state. Strongly isolated workloads have no shared address space, preventing data access between workloads even in the event of kernel vulnerabilities.

This definition establishes a clear and meaningful boundary: to compromise strongly isolated workloads, attackers would need both a kernel exploit and a hypervisor exploit - a dramatically higher security bar.

Balancing Security with Practicality

While several technologies can provide strong isolation (including various hypervisor approaches and confidential computing), many come with significant trade-offs in performance, hardware requirements, or compatibility with existing workflows.
At Edera, we believe strong isolation must be practical to implement. That's why we've developed Edera Protect - a solution that provides strong isolation without specialized hardware requirements, while maintaining performance comparable to bare metal and compatibility with Kubernetes.

Join Our Industry Initiative

Yes, we know your eyes rolled when you read the section title join our industry initiative, and yes, we know there are plenty of joint initiatives out there which is partially why our ecosystem is as chaotic and dysfunctional as it is… but hear us out. Ours is the real deal.. just trust us.

We're launching an industry-wide initiative to establish strong isolation as a standard for cloud-native applications, and we invite organizations across the ecosystem to join us. Together, we can:

• Refine and formalize the definition of strong isolation
• Establish benchmarks for evaluating isolation technologies
• Create best practices for implementing strong isolation in different environments
• Develop guidance on when different isolation approaches are appropriate

We are currently seeking collaborators for a whitepaper that will provide deeper analysis of isolation techniques, performance impacts, hardware requirements, and compatibility considerations across the isolation spectrum.

As cloud adoption expands and multi-tenancy becomes standard practice, the need for workload isolation that can truly withstand sophisticated attacks grows more pressing. Organizations shouldn't have to choose between security, performance, and compatibility.

If your organization is interested in contributing to this important industry initiative, or if you'd like early access to our complete isolation whitepaper, please reach out to us at research@edera.dev. Together, we can build a more secure foundation for the next generation of cloud applications.