Serverless computing is currently the hot topic in cloud technology but, as we’ve seen in the past, hype can sometimes lead to inflated expectations. While serverless computing offers many real-world benefits, it is not the panacea solution to all of the challenges IT teams face.
Serverless hype is reaching a fever pitch just as many IT and security organizations begin to get their heads around containers, which depending on the use case, often provide a solid middle ground between ephemeral infrastructure and security visibility. While organizations are evaluating serverless in their environment, it’s important to take a critical look at the real-world use cases to determine where serverless offers the most ROI and where containers are still the better option despite all the serverless hype.
Managing the Unpredictable
The bread and butter for serverless computing is its ability to minimize the disruption and costs of unpredictable, ephemeral or highly dynamic cloud workloads. For example, functions that don’t regularly require a lot of compute power but can sporadically spike to large volumes are well-suited to serverless because it does not require pre-planned capacity. In an ideal scenario, IT organizations can quickly spin up a serverless function using AWS Lambda, Azure Functions or similar serverless service to handle the spike in compute requirements without jeopardizing the availability and integrity of other workloads.
For these dynamic and unpredictable functions, it’s critical that security teams have a way to analyze activity and behavior at the application layer. Visibility into the application layer helps minimize the disruption to security observability and covers the customer’s side of the shared responsibility model as applied to serverless functions.
Less Infrastructure for Small Teams
As organizations are evolving and adopting more ephemeral infrastructure, there is a critical lack of skilled talent with experience in managing complex cloud infrastructure at scale. Serverless can offer an appealing alternative for small or inexperienced teams looking for a way to essentially outsource the management of their entire cloud infrastructure to the cloud service provider.
Minimizing the Attack Surface
Similar to the zero-trust philosophy of providing users with the least amount of access they need to do their jobs, serverless provides a security advantage by limiting the number of services that are running at any given time. For batch jobs that run on a regular schedule but only for a short period of time—nightly, for example—serverless can spin up the functions to run that report for a few minutes and then automatically shut the functions down, minimizing the potential for attackers to exploit the services running.
Visibility and Control – or Lack Thereof
On the flip side, for longer-running or critical compute needs, serverless can create visibility and control challenges. Serverless is designed to shift all of the infrastructure management responsibilities to a cloud provider, leaving organizations responsible only for the functions themselves. While this can simplify operations, it also means security teams lose visibility into the host infrastructure and all of the associated telemetry that can be used to track, analyze and mitigate security incidents. With so few tools available for securing serverless functions, organizations are essentially forced to rely entirely on their cloud provider, which isn’t desirable for many workloads.
While giving up control of their entire cloud infrastructure may sound like a win-win to startups that were born in the cloud, it can create serious issues for companies in heavily regulated industries such as health care or financial services. The more responsibility and control given to the cloud provider, the more difficult it is to achieve, maintain and prove compliance with PCI, HIPAA and other industry-specific compliance requirements that often include specific language regarding cloud infrastructure that requires host-level visibility.
For organizations that want to maintain visibility for their security teams or compliance requirements, containers are often the better option. Containers still offer much of the on-demand nature of serverless functions while allowing organizations to maintain oversight, control and visibility of their cloud environment. For most use cases, containers still enable businesses to run what they want, where they want, while maintaining visibility.
Another stumbling block that turns up in serverless environments is the question of vendor lock-in. If an organization goes serverless, it is committed to whatever cloud provider it picked. This, unfortunately, eliminates one of the main selling points of serverless: flexibility. Businesses adopt serverless to go fast and be agile, but being committed to one cloud provider can defeat the purpose.
Containers, meanwhile, can be deployed on virtually any cloud or on-premises environment. The enterprise orchestrates the Docker repository running the code, spins it up and runs it. And while it does require that the organization implement strict policies governing who and what has access to the host environment—a function that serverless farms out to the cloud provider—the organization that chooses containers maintains the control it needs from a security standpoint with the portability it wants.
Like any new technology, businesses should be strategic about how they deploy serverless. Operational benefits should not outweigh compromising security posture or losing flexibility, control and visibility. A targeted approach is likely the best strategy for serverless, while containers are a more secure technology that can help support long-term cloud infrastructure.