Protego Labs has been producing a podcast, The Serverless Show, since June 2018. Throughout the latter half of 2018, we released eight episodes and were fortunate to have a special guest join us for each. Our moderator, Hillel Solow, CTO and Co-Founder, was joined by either Tal Melamed, Head of Security Research, or Shali Mor, Vice President, R&D and Co-founder at Protego.
Among our guests were three AWS Serverless Community Heroes, founders of Serverless Meetups, and technology leaders from large enterprises, all experienced serverless practitioners. In each episode, our guest shared his experience with serverless and the ways in which his organization benefited from it. The group also discussed the latest announcements in the serverless community and finished by each selecting a favorite, recent tweet.
We took a look back at all of our 2018 episodes and discerned the following trends.
Our very first guest, Wayne Scarano, Founder, Cloud/Cybersecurity Architect, SGA Business Systems, Inc., stated ‘“I view serverless as ‘ Cloud 2.0.’ It is the next-generational shift of responsibilities from the customer to the cloud provider. Once we have the compute replacing IaaS… it fulfills the promise of services-oriented architecture.”
No infrastructure is involved, and you get it out of the box, resulting in a significant decrease in the operations overhead. This also results in cost-savings not just on compute, but from shifting operations people to development.
This tweet by Asim Aslam was discussed in our very first serverless show and it remains one of the best ways to articulate this paradigm.
Serverless is every product architecture diagram you’ve ever drawn. Cause nobody is squiggling EC2 instances on a whiteboard when talking about business logic.
Yes, I deliberately chose language that seems controversial, as if developers are simply ignoring their duties and foisting burdens onto innocent bystanders. Of course, the truth is that developers are indeed passing on things which once were their responsibility to cloud infrastructure vendors that willingly accept those burdens. And the reality is that this shift is mutually beneficial and sensible.
Shifting infrastructure management to your cloud provider enables you to focus on developing solutions to serve your organization and customers. It helps you maintain focus on your unique competitive advantage. A guest Hillel referred to as, “The Mick Jagger of serverless,” Yan Cui, principal engineer at DAZN, said, “Serverless also leads to a massive change in company culture. Engineering teams shift focus from the tech to business value.”
Wayne Scarano said that organizations are “Finding serverless is filling the gaps faster and cheaper versus building infrastructure.” John Visneski, Director of Information Security & Data Protection Officer at The Pokémon Company International, explained, “The short-term strategy [at Pokémon] is to continue to use serverless in ways that augment our developers, without necessarily replacing architecture writ large.”
Yan Cui said, “With serverless, the draw for me is that all of that non-differentiated heavy lifting I can just give to Amazon, Google, or Microsoft. They can do a much better job at those low levels, and I can focus my efforts on doing the things that my customer actually wants from me. From an organization point of view, especially for startups, it means that you can get a lot more done with fewer people.”
Ben Kehoe, a cloud robotics research scientist at iRobot, stated, “We look at the total cost of ownership for the cloud. It’s not just, what is our AWS bill in a given month? We look at how many operations FTE does it require? How much maintenance is it? All of those factors to figure out the true cost rather than just looking at one number.”
While it’s not that serverless “doesn’t fit,” rather, it may not be ideal to go all-in under certain conditions. Tal stated, “First, for larger organizations that could spare the money, I think it might be a little difficult to just go full serverless. But I see that on a few big enterprises and I think it’s a good approach to start small and then just go.”
Mike Atkins, a distributed systems engineer at LaunchDarkly, discussed one article about “a company that had a very good ops team already established. They had this advantage to not use serverless because they had a team that would do a great job maintaining his Elixir service… For this particular use, I think his decision makes total sense [to move away from serverless]. But at a different company that has a different spread of capabilities, the same decision might not make sense.”
Hillel added, “While serverless isn’t necessarily always cheaper, I don’t always view that as the right metric for why people should be using serverless technologies.”
Serverless enables you to quickly role out application updates and functionality, which is clearly advantageous. But that speed creates a challenge to keep up with securing those apps.
In easily one of the best analogies of our podcast series thus far, John Visneski said, “You’re sitting in a canoe that’s slowly filling with water because it has holes. A speed boat pulls up next to you, and you say, ‘I don’t want to get in the speedboat because it’s too fast.’ Yeah, get in the speed boat! But then you have to understand that you’ll have to concentrate on a little bit more than you used to concentrate on. The security person’s job in 2018 and beyond is keeping up with DevOps and IT to be an enabler instead of an impediment.”
Key benefits of serverless include automated, nearly infinite scaling, increased time to market and lower costs resulting from paying only for what you use. But certain technologies may inadvertently result in developers using serverless in ways that negate the benefits. For example, bring-your-own-runtime. Forrest Brazeal, a senior cloud architect at Trek10, stated, “I only worry that it will cause people to wind up creating these bloated Lambda applications that are potentially less performant. I see this as being something that, if people aren’t careful, could really bring their cold-start times up as they drag a lot more stuff into Lambda.”
Yan Cui explained, “You have the options of running functions as a service on your own Kubernetes cluster with Kubeless and that allows an adoption path to serverless or FaaS, at least. But at the same time, you lose a lot of the benefits of serverless.”
Lambda increased their maximum timeout to 15 minutes. In talking with Alex Glikson, Cloud Guru at Carnegie Mellon University, Hillel commented, “As we start unravelling some of these constraints and dialing them back, we could slip back into some of our bad habits in terms of how we build software.”
Vendor lock-in is repeatedly mentioned in news articles as a possible risk and detriment of serverless technology. Our podcast participants discuss it and never seem to see what the fuss is all about. Wayne Scarano and John Visneski both suggested focusing on the needs of the business as the primary concern, rather than worrying about getting locked in.
Wayne continued by asking, “On the other hand, are you really locked in? You are accessing services, some more custom than others, but you own your functions and you own your data. The functions will be easier to take out, and we can give a hello to Serverless.com and those type of companies that enable you to write once and run it on many clouds.”
As a new type of architecture, serverless presents new security challenges. Developers should be aware of these changes and take appropriate actions to mitigate risk… but they don’t [for the most part.] There’s also some confusion with where the responsibility for serverless application security lies between developers and security pros. As Chris Ensey, COO of Riot Blockchain, stated, “You can never be in a position where developers will exclusively own security. To task them to maintain security ongoing is going to be a complete fail.”
As Tal Melamed stated, “With every new technology we forgot everything we learned, and there is a new learning curve. Like every other technology, security starts in a delay; too big of a delay.”
Here at Protego Labs, we’re happy to share our serverless security insights in a variety of formats, from webinars to eBooks and these podcasts. Check out our resources page and sign up for updates via email, sent about once per week.