In the technological world, change occurs rapidly – including the realm of cloud computing. Public, private and hybrid clouds offer setting up virtual servers quickly, where scalability is never an issue because you get what you want on demand. However, you still need to maintain the software stack on the virtual servers – which is a complex, time-intensive and expensive process. That is where serverless computing comes into the picture.
Serverless computing is a cloud computing method of providing backend services on an as-used basis. In serverless computing, a serverless provider allows you to write and deploy code so that you don’t have to worry about the underlying infrastructure. When you take backend services from a serverless provider, you are charged on your computation. You don’t have to pay for the number of servers or a fixed amount of bandwidth because the service is auto-scaling. Though it is called serverless computing, physical servers are still used, but scaling, capacity planning and maintenance operations may be hidden from the developer or operator.
Earlier, if you wanted to build a web application, you had to buy the physical hardware to run a server, but this was a cumbersome and expensive process.
Next came the cloud, where you could rent a fixed number of servers and server space to run all the applications. But in this case, companies had to over-purchase the resources to avoid exhausting their monthly limits – which resulted in the waste of some paid server space. However, serverless computing addresses all these issues.
Who needs serverless computing?
Serverless computing relies on functions – more specifically, functions-as-a-service – which allows developers to break down their application into small, stateless chunks where you don’t have to worry about the underlying server.
As to who uses these services, this is what Amazon CTO Werner Vogels had to say about the trajectory of serverless computing with regards to enterprises. “We normally expect younger, tech-oriented businesses as the first ones to try this out, but what we are actually seeing is large enterprises are the ones that are really embracing serverless technology,” he said. “The whole notion of only having to build business logic and not think about anything else really drives the evolution of serverless.”
The guitar manufacturer Fender, for example, has opted for serverless computing AWS because it wants to free up its developers to focus on its digital products instead of spending time and resources on infrastructure issues.
According to Vogels, traditional organizations like Fender are opting for serverless computing because it offers several advantages – you don’t have to provision anything, the service scales automatically, the service is available and secure, and you only pay for what you use.
Holly Mesrobian, director of engineering for AWS Lambda, explains it further. “Today we talk a lot about scalability, reliability, performance, security, and cost. As we build out AWS Lambda, we optimize for all of that in a serverless way.”
As with other technologies, serverless computing has benefits and disadvantages.
Serverless computing offers the next generation of tools and infrastructure support, which allows organizations to do more with less operational staff and without the worry of maintaining the resources.
The biggest disadvantage is that it increases your dependency on the vendor, and your internal teams further lose control. As an organization, you have to depend more on the vendor for administrative functions, security, etc. The supporting services are also a cause of concern for some IT professionals.
But the silver lining is that the services are set to improve by the day, making it easier for the enterprises to move to the cloud.
In serverless computing – more specifically, function-as-a-service (FaaS) – the basic security cover is provided by the provider’s security infrastructure. The service provider is expected to secure the physical infrastructure components – such as the data center, network servers and operating systems. It reduces the chances of a successful exploit because unpatched servers are known to be more vulnerable.
But there are some security challenges for the serverless app developer. It is still the responsibility of the developer to securely execute their code – which includes application logic, code and data. The developers need to understand that serverless computing brings with it some unique security vulnerabilities.
Because serverless applications are modular in nature, they offer an increased attack surface due to their interconnectedness. Since the data is drawn from multiple sources like cloud storage, IoT devices, various APIs, and message queues, it makes it difficult for the traditional firewalls to inspect. Also, because the data moves around more in serverless computing, it is more exposed to potential interception.
Another problem is that full security testing of serverless applications is difficult before its release into a real-world environment because they operate in a complex web of connections.
To offset the trust clause, it is essential for businesses to use encryption, such as API and encryption keys, configurations and database access credentials. Never store any sensitive data in plain text. Data encryption is by far the most trusted way to protect your company’s secrets.
Be sure to enact the principle of least privilege (POLP) – an important computer security practice that limits access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are only granted access the files or resources they need to do their jobs: In other words, the least amount of privilege necessary.
Also, adequate logging to prevent debugging is essential because visibility into individual functions can be limited. Detailed logging also helps prevent breaches because it enhances visibility into the actions of the intruders.
It is also important to check the dependencies of external libraries and web resources for vulnerabilities. Input validation is also crucial.
On the flip side, because serverless function moves up and down quickly, they are less vulnerable to distributed denial of service (DDoS) attacks.
Although a fairly new technology, serverless computing offers great benefits to businesses. Keeping potential security issues front-of-mind will help your company avoid loss of valuable data, customers and your good reputation.