Do you believe in the Myths Around Serverless Applications and Security!

Before we move ahead let me break the biggest myth of present times – Serverless Applications is servers on cloud and are to be managed by the cloud server providers. The term “Serverless” Applications gives an idea that administration of servers, which is one of the biggest headaches for IT teams, is not required. At the same time, it gives the power to write code without worrying about ongoing server administration. Serverless Applications on are on Cloud, so ideally, they must be viewed as an extension of enterprise infrastructure. The concerns related to Identity Management on Serverless Application, Access Management on Serverless App and overall IAM capabilities surrounding serverless app needs to be looked at carefully.

As per Forbes, typical servers in business and enterprise data centres deliver between 5% and 15% of their maximum computing output on average, over the course of the year. Traditionally, the web applications are controlled by server being used and maintenance & provisioning of access on these servers has be monitored responsibly and effectively.

As cloud offers a wider room for scaling, Serverless Application are an extension of the benefits cloud has to offer. Serverless is just a pun, in the backend the cloud vendor offers management of the server. Security cannot be factored out and must be looked at from the very start.

The management of servers is hard work and often leaves IT teams in dependencies such as:

  • Getting constantly billed by the provider even when servers are not in use
  • Closely monitoring and managing server uptime and maintenance cost
  • Constantly apply security updates and patches on server
  • Scaling up and down servers depending on application usage of resources

The problem here is that it does add up to be a feasible option for developers and/or smaller companies. The structure does not encourage businesses or individuals on budget to procure greater volumes of IT infrastructure. Also slows down developer as dependencies on infrastructure team for server management is high.

How this works in case of Serverless Applications, a code is to be provided to the service provider such as AWS, Azure, IBM or Google Cloud. The code is run at the provider’s end and allocate necessary resources to be managed dynamically based on usage. The instance of code in the cloud will scale depending on the numbers of users. For Serverless Application the cloud server provider takes the responsibility of updating and securing the server.

From a process standpoint, every request is treated as an event and the code is a function that will respond to events. The process flow operates by taking a request as an input and send as an object with the relevant info and further asks for further requests. So basically, functions are written that intended to respond to requests. User will be concerned with the code only and not with the servers and their management.

It is also to be viewed from a business generation point of view by service vendors who try their best to make their clients feel as they are the only people using their systems. They use a Multitenancy system – where multiple instances of software for many different customers run on the same machine. But this can lead to problems with security (one customer being able to see another’s data), robustness (an error in one customer’s software causing a failure in a different customer’s software) and performance (a high load customer causing another to slow down.)

So far Serverless is just a fancy cloud structure wrapped in multitenant setup selling like a hot cake. Going ahead as Serverless Applications make inroads in corporate IT setups, there will be greater challenges. It is recommended to start with a tactical approach and manage the apps and take out the myths.

Do you want to assess IT security related vulnerabilities related to various applications within your organization? Reach our experts.

rss
/ IT Security

About the Author

Rajesh Mittal

With over 20 years of experience in Application Security, Identity Management and IT infrastructure related projects, Rajesh has a developed a solid understanding of all aspects of IT security field and has assisted clients, of all sizes, in almost all segments of their Identity and Access Management journey. His core competency and passion lies in integrating heterogeneous products, fostering innovation to develop new Solutions and solving customer problems quickly and effectively. He is VP of Technology and Co-Founder of Avancer Corporation and leads Technical Strategic Planning, New Business Development, Marketing and Business Expansion. Prior to starting Avancer Corporation, Rajesh’s entrepreneurial venture, he has worked with PWC Consulting/Entology/HSBC/ LG Electronics in various capacities developing IT security solutions spanning multiple geographies. Rajesh holds a BE in Electronics Engineering from University of Pune, and MBA in Finance and Leadership from Stern School of Business, New York University.

Comments

No comment yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image
Reload Image