Is Serverless "Cloud Native" Right For Your IT Organization Right Now?
CIO’s are being bombarded with “education” about “serverless” cloud native computing, but is it right for you right now?
The idea of serverless computing is not new, but is now gaining real buzzword steam. In our minds it seems like something currently suitable for prototyping from an enterprise perspective; particularly when staffing for infrastructure is thin. For example, the movement advocates for microservices which at least in the healthcare enterprise market, is a last resort. The main purpose of implementing microservices is to help in the refactoring of a previously monolithic app. The security profile for Microservices is also not ideal from a health system perspective.
According to Chris Aniszczyk, CTO and COO of the Cloud Native Computing Foundation (CNCF), the introduction of AWS Lambda in 2014 recently popularized the concept of serverless. AWS Lambda was followed by the announcements of IBM OpenWhisk on Bluemix, Google Cloud Functions and Microsoft Azure Cloud Functions, along with the launch of a number of other serverless frameworks such as Terraform, Fission and Fn. However, today there is a lack of standardization and interoperability between cloud providers that may lead to vendor lock-in, a key cloud buying criteria for CIO’s of enterprises. There also does not currently exist quality documentation, best practices, and more importantly, tools and utilities.
The CNCF defines serverless computing as “the concept of building and running applications that do not require server management. It describes deployment model where applications, bundled as one or more functions, are uploaded to a platform and then executed, scaled, and billed in response to the exact demand needed at the moment,” the foundation wrote in this whitepaper. The benefits include zero server ops and no compute costs when idle.
The product marketed as “serverless” does not remove the need to use servers to host and run code though. It does remove the tasks of server provisioning, maintenance, updates, scaling and capacity planning. “Instead, all of these tasks and capabilities are handled by a serverless platform and are completely abstracted away from the developers and IT/operations teams. As a result, developers focus on writing their applications’ business logic. Operations engineers are able to elevate their focus to more business-critical tasks,” the CNCF wrote.
Notes on Security, Risk, and Compliance:
The risk is still yours
You could end up sharing your workload in the same memory space and virtual environment in the same space as a commercial app. As CIO you’re still responsible for HIPAA and security. You don’t know where the cloud server infrastructure happens to be at that ephemeral moment. Do you have the level of control, understand your risks, and are able to mitigate them? Is it possible to comply with HIPAA? Even if someone signs a BAA, you still have to verify that they comply with HIPAA.
2. What about flow-down terms from insurers and the controls that they require?
How do you know what antivirus is running?
How are you doing role based access control to the server and underlying memory?
3. Try running a GDPR application
As CIO, you’re still responsible for knowing who has access to your data but in this serverless paradigm, you don’t really know who has real access.
The top use cases for serverless in our view include workloads that are asynchronous, infrequent, in sporadic demand, demonstrate unpredictable variance in scaling requirements, are stateless, ephemeral, and highly dynamic. Aniszczyk explained that serverless is not a good option for users that are looking at startup time and performance or for customers trying to avoid being locked into a specific cloud platform provider. From a CIO Perspective, "serverless" is a Good Experimental Option For Variable Workloads.
AWS Lambda was the first FaaS offering by a large public cloud vendor, followed by Google Cloud Functions, Microsoft Azure Functions, IBM/Apache’s OpenWhisk (open source) in 2016 and Oracle Cloud Fn (open source) in 2017.
Deploying serverless based “services” does NOT include managed service markups that you’d likely need to implement too — for example public cloud RDS is routinely marked up 73% to 84% on top of base hosting.
Disclaimer: Our language and framework of choice, Erlang isn’t supported in an enterprise-grade way by the Serverless paradigm. Erlang is designed for distributed and fault-tolerant systems, so it’s easier to scale than a language like Go, an example of one language that’s currently supported on a serverless paradigm.
We're motivated to leverage the ideas behind concurrency and behind the power it brings to our machines. The Erlang schedulers have been battle tested on 64 cores and more. This contributes to the development of massively distributed systems. The plumbing of connecting independent actors is already implemented and battle tested for reliability. It leverages the so-called supervision trees useful for building fault-tolerant software in those languages. Performance is based on “shared nothing” — no shared memory, no locks, no remote procedure calls, and most importantly, no shared state. Shared nothing.
Further, some language compilers also lack features needed to ensure threads can be reliably paused quickly, meaning that whether pause times are actually low or not depends heavily on what kind of code you’re running. Erlang processes don’t share memory, each one has its own heap and they can be garbage-collected independently. If you care about memory performance characteristics that much you really should be using a language that provides control over them. If you care about mobile performance, you should make memory management a killer feature which is what we aim to do at Medigram.
We hope this helps you discern where in your portfolio of applications that "serverless" as a tool could fit. One of our favorite sayings at Medigram is, let’s pick the right tools for the right jobs!
Eric Svetcov is CSO and CTO for Medigram. Eric is an Information Security and IT authority with International Experience and Deep Cloud Computing Knowledge. He is a recognized leader in the healthcare technology space for building highly resilient and performant solutions with security, privacy and compliance requirements built in at all levels of the solution. Some highlights include Eric’s leadership as a startup veteran whereas he built the security program and IT operations from scratch 4 times. He lives to deliver best in class security program and product; he is adept at building effective security solutions that allow clients to sleep well at night.
In any professional sport whether that is football, basketball, and business, Svetcov knows that offense gets you in the door, but it’s great security defense that keeps you in the game; Eric knows that it is the team that wins championships.
Eric Svetcov has repeatedly built security programs that meet certification programs the first time. He co-wrote the book on how CISOs should perform. He also lead the team that won the race for the first ISO 27001 certification for cloud companies.
Having clients using our solution to save or improve lives electrifies the Medigram team. Eric is driven to improve patient care. He does that by and is widely known for driving cutting edge solutions with embedded market winning compliance requirements into high performance cloud computing solutions that solve customer business problems. Eric shares the Medigram team’s passion for helping all stakeholders win together by bringing deep cross functional leadership to the market. This is to help make stakeholders better at their jobs – and helping them be successful in securing and delivering information quickly on mobile so that teams of doctors may save lives quickly.
Svetcov re-designed architecture and infrastructure for a real-time data analytics product delivering $18MM ARR in its first year, drove IT/Operations/Security that enabled 5x headcount growth over a 2-year period. Eric builds scalable Governance/Security programs, including ISO 27001, HITRUST, HIPAA, COBIT, and ITIL in rapid growth environments.
He was an Advisory Council member for the CISO Executive Network, led the first global Cloud Computing Company (Salesforce) through ISO 27001 Certification and did it again with Mede/Analytics where he also led HITRUST Certification with more than 700 assessed controls. Eric’s deep experience includes acting as Caldicott Guardian, Chief Privacy Officer, and Data Protection Officer.
Eric is excited about applying his experience in Architecture, Solution Design, Security, Privacy, IT, Support, & Technical Operations to build one of the most important companies of our time. At Medigram we are building a new kind of company to solve some of the hardest challenges in medicine; initially targeting to save hundreds of thousands of lives and delay disability for millions more. He is skilled at engendering confidence, trust, and performance with both internal and external teams to deliver within specified timeframes. He believes that focusing on privacy and security and leading it is not only the ethical choice, but also good for customers and business.
Eric’s confidence in building systems, stems in part by his experience teaching cloud security to security leadership in both the private and government sectors. He built the original HIPAA audit program that KPMG used for U.S. Department of Health and Human System audits. He is a member of the CISO executive network and former advisory board member of CISO executive network, where he learns from and co-mentors and collaborates with other experts including through speaking at conferences.
At Medigram, Eric Svetcov is working to build the standard that every organization can aspire to and for developing and nurturing security leaders –he’s always striving with the team on how we can impact and make a difference.
In his off hours, Eric enjoys sports with his kids and spends time on his passion for bringing up standards for cyber security nationally. He continues to spend part of his free time creating training programs and writing about cybersecurity.