Real words or buzzwords?: Serverless Computing - Part 1

Jan. 3, 2018
Though often panned, the term is needed to change industry thinking about software design and development

Editor's note: This is the 19th article in the “Real Words or Buzzwords?” series from SecurityInfoWatch.com contributor Ray Bernard about how real words can become empty words and stifle technology progress.

I like the following description of cloud computing by Kunjan Dalal, founder and CEO of AuroSys Solutions LLC, because it’s simple and it reflects the current state that cloud computing has advanced to:

“Cloud computing is an internet-based technology model that allows users to instantly access, manage and deploy large shared, virtual computing resources.”

For most of us who have worked hands-on with server and workstation deployments for decades, it’s hard to envision computing without servers. After all, the simplest definition of computing is “the use or operation of computers.” Thus, of course, serverless computing does involve computing hardware. This is why, in recent months, I’ve had many people from the security industry decry the term “serverless computing” when I have broached the subject. “That’s a stupid thing to say. It’s just a IT marketing trick; there is really no such thing as serverless computing.” One person cleverly remarked, “Whoever thought that term up had their head in the clouds!” That’s exactly right—literally speaking—and it’s where we need to be on this subject.

Why Serverless? 

We need the term “serverless” in order to get our wits around the current state of cloud computing, which offers application execution capabilities that are a very close match for the nature of security monitoring and response—whether logical or physical. It is what security industry products need to keep up with the world they are intended to monitor and protect.

Kamal explains, “Serverless Computing is uniquely suited to event-driven functions. For example, a remote device which monitors a patient’s heart rate can be triggered in the case of an event to provide emergency notification response to hospital systems.” The same thing applies to monitored activity and alarm response.

The reason we need the term “serverless” is that we must radically change our thinking about software design and development in order to take advantage of the current state of cloud computing—which has evolved from Infrastructure as a Service (IAAS) to Platform as a Service (PAAS) and now to Functions as a Service (FAAS) – which is serverless computing.

This diagram provided by AuroSys puts it all in perspective.

In a traditional data center, an entire application (or several) would always be held in memory and “running,” mostly with small parts of the application being used at any one time. Gigaflops of CPU chips, gigabytes of memory and terabytes of disk storage would be energized all the time, even though only small parts of those resources would be utilized. Cloud computing introduced “resource pools,” using virtualization of server hardware. That was easier to picture because it was simply software imitating the server architecture we had always known.

Significant Mind-Shifts

Serverless computing requires two significant mind-shifts, first to the use of “cloud containers,” and then to the step beyond that, which is serverless computing. For decades we have been performing software development in the server context, whether on server hardware or in a virtual machine server. In a cloud data center, that looked like this:

Multiple Applications on
Multiple Operating Systems on
Multiple Virtual Servers on
Server Hardware

Under that server-based architecture, cloud application providers must still manage the virtual server or virtual server cluster on which their applications are running. Then, in 2014,  along came “application containers,” called containerization, which provided another layer of virtualization. An application container holds only those software code libraries required to run the application being placed in it, as opposed to holding an entire operating system. That stacks up as shown below and in this diagram.

Multiple Applications in
Multiple Application Containers on a
Single Container Engine on a
Single Operating System on
Server Hardware

Be sure to look at the diagram because the text description does not convey an important fact: when you can eliminate the unneeded duplications from multiple operating systems and duplicated code libraries, those reclaimed resources can be put to use for more applications, or used to reduce cloud costs.

Serverless computing takes that kind of virtualization one step further, by allowing you to scale the individual functions of your application to match users’ momentary needs. This is possible because:

  • While a virtual machine takes minutes to boot up, a single application function can be activated in hundredths of a second.
  • Similarly, while it takes a minute or so for a virtual machine to power down, a single function can be deactivated in hundredths of a second.
  • Billing for compute resources can be done in hundredths-of-a-second increments, to very closely match the scaling capabilities of serverless computing.

Developers package up application functions, with just the code libraries that they need to run—which is a very different approach to software development than industries are used to. Additional software code is needed to manage the micro-scaling aspect, but the payoff comes in how quickly and affordably a cloud-based application can now scale up and down to meet very high levels of demand.

This article is not a tutorial about serverless computing—I didn’t even include a diagram for it. The purpose for this article is to explain the purpose of serverless computing, so that you can understand why so much investment is going into cloud infrastructure and applications for serverless computing. This is the immediate future of cloud computing (which continues to evolve), and hopefully the very near future of highly scalable and affordable cloud-based security applications.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.