Traditional cloud security forces a painful trade-off:
- Separate clusters for different workloads = Higher costs
- Shared infrastructure = Security risks
- Specialized hardware = Expensive instances
Edera Protect breaks this cycle through three technical approaches:
Microkernel Hypervisor Isolation: Our type-1 hypervisor treats each container like a virtual machine guest, providing VM-level security with container-like efficiency.
- Unique kernel for each container
- Memory-safe Rust control plane
- Zero shared kernel state
Dynamic Resource Allocation: Intelligently manage compute resources across containers, reducing the total infrastructure footprint.
- Eliminate the need for specialized hardware
- Run multiple GPU workloads on single instances
- Dynamically adjust CPU and memory allocation
Multi-Cloud Flexibility: A single security interface that works across cloud providers, giving you unprecedented cost optimization capabilities.
- Compare and switch cloud providers effortlessly
- Reduce migration expenses
- Avoid vendor lock-in
The result? You can consolidate workloads, maximize resource utilization, and enhance security—all while reducing cloud spending.
The Cloud Cost Dilemma: Why Traditional Approaches Fail
Buying and maintaining on-prem servers poses a large upfront investment that starts the moment you power on the system, whether you're utilizing the resources or not. Cloud computing promised to solve this by allowing shared server usage, removing upfront costs, and enabling resource sharing.
But shared compute brings risks for multi-tenant workloads. Companies need to ensure workloads and their data remain independent—a challenge that has traditionally meant higher costs.
Today’s Isolation Approaches and Their Limitations
Isolation within the operating system (from things like Linux Containers, namespaces, cgroups, etc) uses protections in the kernel to separate workloads and their resources.
Isolation as a layer around the operating system (VMs or hypervisors) achieves isolation by providing a separate kernel to each workload.
As they have less overhead, techniques for isolation within the operating system have generally been more popular, and support for these techniques is built into popular technologies like Docker and Kubernetes.
However, kernel-level security threats remain a significant issue for these technologies. These threats include container escapes (when an attacker bypasses kernel isolation techniques), process injection, secrets exposed in memory, and other shared kernel vulnerabilities. Any of these can compromise the isolation between workloads. Technologies like gVisor have been introduced to improve isolation in this environment.
Another approach is to re-visit isolation as a layer around the operating system. With a hypervisor managing separate VMs for each workload, any escape performed on the workload's OS is still isolated from the host machine and other workloads. Technologies like Kata Containers and Firecracker take this approach. A third approach is to introduce new clusters for workloads that require isolation, for example having a separate cluster for each customer.
Each of these approaches to improving isolation comes with increased cloud costs:
.png)
The True Cost of Cloud Computing
So how can we achieve strong isolation without these increased costs? You could switch back to running services on-prem, but then you miss out on all the benefits of cloud computing: eliminating up-front server costs, simplifying updates, autoscaling, and more.
Instead, let's break down the costs of cloud computing, and show how Edera can add isolation to workloads in a way that reduces your spending on cloud computing.
There are a lot of factors in the cost of cloud computing, so we'll focus on those that are impacted by isolation technologies. This leaves out some costs such as data transfer and retrieval fees, data egress, and region. The factors we consider are:
- Compute
- Storage
- Instance type
- Maintenance/support
- Cloud migration
- Bandwidth
Putting these together, the cloud computing costs can be represented as:
Total Cost = (Overhead costs × # of users + Instance cost × # of instances +
Network costs × volume + Storage costs × size × # of users) × time
The details of this equation will vary by cloud provider, and the variables will likely differ between services. This also leaves out discounted pricing, such as committed use discounts or volume discounts. However, the model above gives a simplified sense of what contributes to the cost of cloud computing.
6 Ways Edera Protect Reduces Cloud Costs
1. Efficient Resource Usage
Edera Protect's low overhead via the use of a microkernel Xen-based hypervisor provides great performance that translates to fewer resources needed on each instance and more operations possible in the same time frame. Using less infrastructure also means reducing tech debt and maintenance time (lowering maintenance costs as well). The scheduling efficiency introduced by Edera Protect can even be more efficient than Docker for some workloads.
2. Use Fewer GPU Instances
Edera Protect can be used to isolate GPUs, so multiple GPU applications can safely be run on the same GPU instance. GPU instances are expensive, and running multiple applications on the same instance reduces the number of GPU instances needed. With Edera Protect, this GPU sharing can be achieved while maintaining isolation.
3. No Specialized Instance Types
Edera Protect does not require specialized instance types, as it can run on either bare metal or virtualized instances. This can vastly reduce the cost per instance over solutions that require bare metal. Bare metal instances are also not always available, so removing this requirement adds flexibility to which clouds and services and instances you use.
4. Use Less Compute Resources
Edera Protect's strong isolation between containers allows you to use fewer clusters, thus paying for fewer instances. Instead of needing a new cluster to isolate workloads, Edera Protect can provide isolation within one cluster.
5. Multi-cloud Support
Edera Protect provides a single interface for container security across multiple cloud providers and reduces the cost of migration across clouds, giving you back control of your cloud spend by letting you compare costs across clouds.
6. Improved Resource Allocation
Edera Protect provides improved resource controls over cgroups to containers, dynamically increasing or decreasing CPU and memory based on workload resource utilization You can have the same resource orchestration over your containerized workloads as your cloud providers and squeeze more out of your compute resources.
Wrapping up
Edera Protect doesn't just promise security—it delivers a fundamentally more efficient approach to cloud computing. By reimagining container isolation, we help you:
- Reduce the number of cloud instances
- Increase computational density
- Use more cost-effective commodity instances
- Maintain strict workload isolation
Want to learn more about how Edera can help you increase security and save on cloud costs? We are currently seeking design partners to trial Edera Protect and work with us to calculate total cost savings. Our team will analyze your current infrastructure and provide a detailed report of how Edera Protect can enhance your security while reducing costs.
