By Hillel Solow, Serverless Security R&D, published February 10 2020
After spending most of my day talking about serverless functions security, how it is different, what to worry about, and what to feel good about, I often find it difficult to communicate around the challenges of serverless. This is because people use the word serverless in different ways.
Why? “Serverless,” like many new market terms, means different things to different people. That is because it is more than a thing; it is actually three different revolutions with three different core values:
- Serverless Infrastructure
- Serverless Architecture
- Serverless Operations
Serverless is a big part of the shift to true cloud-native modern applications, and it is important that we recognize the key role these different core values play in the evolution. Once we understand the nuanced meaning of each piece, discussions about security, operations, and monitoring in the cloud-native world start to make much more sense.
What Are Serverless Functions & Infrastructures
Serverless Infrastructure is the revolution in the way we consume and pay for cloud resources. What are you renting from your cloud provider? This is about “scales to zero,” “don’t pay for idle,” “true auto-scaling,” etc. The serverless infrastructure revolution proposes to stop leasing machines and start paying for the actual consumption of resources.
For example, AWS defines S3 as serverless. This AWS infrastructure resource provides consumers with the freedom to not think about how many readers and writers might come along in the future, and how much data might end up being stored there. Consumers simply create an S3 bucket, and AWS scales resources as needed. Moreover, of course, customers are billed only for what they actually consumed.
Serverless architecture is the revolution in how software is architected to enable horizontal scaling. Most serverless platforms require code to be stateless and ephemeral. To accommodate this, serverless architectures have a few key design principles:
- Serverless storage is file or data storage that can easily scale to accommodate application needs
- All application state is moved to a (typically) small number of serverless storages and/or databases
- Compute is event-driven, whether by external events such as user input or API calls, or internal events such as time-based events, or storage triggers.
- Compute is organized as small stateless microservices, each typically responsible for a single part of the application logic.
So what are serverless functions? Serverless architectures have a large number of stateless functions, connected to a small number of serverless databases, queues, and storage.
What Are Serverless Functions Operations
Serverless operations is the revolution in how cloud native applications are orchestrated, deployed, and monitored.
On the deployment side, typically, each microservice function is owned and operated by a single dev or DevOps team, and has its own private life-cycle. This supports the high-velocity deployment of features and fixes, as there is no need to wrap up, test, deploy, and scale a container or VM. Developers write some code, run some simple commands to deploy that to a CI/CD environment for testing, and once the testing process completes successfully, the code can be rolled into production immediately. In many organizations, this is fully automated. If it passes staging, it goes right into production.
On the operations side, there is less to operate. Since you do not have to think too much about scaling, and there is no notion of “is my server up?,” you are mostly limited to keeping track of error rates on your resources, and making sure nothing strange pops up. This is mostly a blessing, and some people claim that the real savings in the move to serverless did not come as much from the “pay only for what you use” as they did from the ability to shrink the operations part of the team significantly, freeing up resources for more valuable endeavors.
Ok, So What?
Each of these revolutions in how to build, deploy and operate cloud-native software and what are serverless functions provides different values and benefits. That is why some people talk about “going serverless” in their on-prem data centers. That is serverless architecture and operations without the serverless infrastructure. And that is a legitimate technological shift if that makes sense to some businesses.
Or why others can talk about the fact that they have been serverless since the invention of movable type since they run applications of Google App Engine. Maybe not so much a serverless architecture, but pretty close to serverless infrastructure and operations.
Here is the thing. Identify what the key values your organization is trying to achieve, and make sure the technology changes you are embracing will give you that. If you have moved over to Azure Functions, but you have not really rearchitected your software, that’s ok, if you came here for the cost savings. But if you came for the application velocity, you might not get what you are hoping for.
Serverless Security Resources
Here are a few links that will help you get up to speed on serverless security.