Whenever a new technology enters the market, there are often
misconceptions that exist that need debunking in order to fully understand the capabilities, and overcome the restrictions with the emerging tech. Serverless compute is one of those technologies, having entered the cloud space in the past few years and projected to have a CAGR of 26.9%.
misconceptions that exist that need debunking in order to fully understand the capabilities, and overcome the restrictions with the emerging tech. Serverless compute is one of those technologies, having entered the cloud space in the past few years and projected to have a CAGR of 26.9%.
One would say it is the fastest-growing and most revolutionary advancement in cloud computing (fact or myth, only time will tell).
Here, however, are several popular serverless compute myths that need
debunking:
debunking:
Debunk #1: Serverless is not Secure. Contrary to this myth, serverless is secure- maybe even MORE secure than other cloud hosting environments.
The shift to a cloud-native technology stack, such as the move to serverless applications, actually has the ability to accelerate implementation and improve application security. In order to accomplish this, a clear blueprint is critical in order to fully understand what it is, and what it enables, so that organizations can have confidence that they are using the right tools and processes to avoid risk.
In fact, organizations that have taken this approach when deploying sensitive serverless applications have been able to adopt the right set of security solutions to minimize risk and maximize security, and are finding these applications to be the most secure applications they are operating.
The largest player in this space is AWS Lambda and there are several AWS Lambda security best practices that are great resources.
Debunk #2: Serverless is Costly. Wrong. Cost is one of the huge benefits as to why organizations move to serverless. It allows them to leverage an extremely efficient and agile infrastructure; only paying the providers for the compute used.
Organizations of all sizes and across all industries are leveraging serverless for this reason. By not leveraging serverless architectures, organizations are missing out on a number of immeasurable advantages, cost being one. There are obvious cost reductions for most organizations in moving away from owning and operating data centers, and also paying for cloud infrastructures during downtime.
Debunk #3: It is not Compliant. Serverless architectures actually are compliant if you follow the appropriate protocols to secure serverless apps and data within that is outlined in the mandate- with some adjustments.
For example, IAM policies exist in every regulation whether it be PCI-DSS, HIPAA, FERC, FISMA, etc. Typically, these guidelines for IAM are applied at the application level to restrict and limit access to the application and data within. However, with serverless, you need to apply those policies not just to the application itself but to the functions within the application. This creates an even more restrictive security measure and enhances security posture. It is critical to understand how your mindset needs to switch and how to apply these standards to various compliance mandates, but doing so will positively impact your audit.
Debunk #4: WAF protection is enough. Contrary to this belief, it is not. For true serverless security, you actually need in essence “micro WAFs” to surround each code. After all, serverless is all about the function and the code.
Why is this? Application layer firewalls probe HTTP(s) traffic- only protecting functions triggered by API-Gateways. This means a WAF will not protect against events caused by other trigger types, such as:
- Code modifications (e.g. AWS CodeCommit)
- Cloud storage events (e.g. AWS S3, Google Cloud Storage, Azure Blob Databases changes (e.g. Azure CosmosDB, AWS DynamoDB)
- Stream data processing (e.g. AWS Kinesis)
- Notifications (e.g., Emails, SMS, IoT)
To clarify, WAFs are important, and you need to have them in place. However, you need to evaluate how you are protecting the code from these other trigger types otherwise you risk creating costly security
gaps.
gaps.
Debunk #5: Lost control. From an outsider's perspective, serverless could feel overwhelming. With all of these functions deployed, how in the world can one maintain control and have visibility?
Luckily, providers such as AWS Lambda, Google Cloud, Microsoft Azure, all have tools like AWS CloudWatch to monitor your serverless and other cloud applications. There are also fantastic third-party tools to also gain further control and more visibility into the deployment.
For instance, management tools like Stackery, serverless monitoring tools like Epsagon and Lumigo, and security automation tools like Protego. These tools, when combined with those offered by the cloud providers, are powerful and will give teams the control to know the deployment is set up right, before launch, to monitor performance and capacity, and to ensure security.
This allows developers to move quickly, and security teams to no longer feel like they have to hover.
It is time to get over the myths and get the facts when it comes to serverless. Through automation and code-centric development,
serverless architectures provide developers with speed, organizations with greater operational efficiencies and cost savings, and if done right, enhanced security and compliance since it is at the function level and more difficult for attackers.
serverless architectures provide developers with speed, organizations with greater operational efficiencies and cost savings, and if done right, enhanced security and compliance since it is at the function level and more difficult for attackers.
To overcome the challenges and embrace the potential, it is important to fully understand the facts, debunk the myths, and build a holistic approach for the next best wave in cloud computing.