Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 4

Serverless Is An Ops Model

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

More than everybody how you doing today in this episode of the show. We're going to talk about serverless. Now a lot of you are probably have heard the term serverless, but I'm quite sure exactly what people are talking about and that's no surprised. There's about three different definitions of the term surrealist that are floating out there and we're going to circle back to all three of those but the primary focus of this video is on what I truly believed to be where we should be focusing our efforts around serverless, and I'm not the only one so I've been talking about service within this context for a few years, but don't take it from me.

Look at this clip from Dr. Verner vogel's the CTO of amazon.com at the AWS Summit in Santa Clara a couple weeks ago, but it's so much more here for the Spider-Man then just learned that long. I was just the last piece that was needed to stay strings together switch it you never had to think about service.

I think the general mobile for sale for this is sweetie that you have no infrastructure to proficient with scales automatically. You only pay for what you've used and the service itself many inches high availability and security for you. So you can see from that short clip. The doctor vocals is really focused on four main areas that Define a serverless architecture or a serverless design.

He talked about not having the provision anything so not having to set up instances set up services head of time. He talked about auto-scaling. So things go up and down the capacities. Just are you no longer have to worry really about capacity management and he talked about value-for-money. So truly only paying for what you're using.

There's no idle compute time. And of course the fourth aspect is being highly available and very secure and that's really the thing. I want to talk about with the security aspect of that because as much as the naming has been a debate and you'll see if you watch that.

Cenote by dr. Vogel you'll see he talks about serve a full and server less and it really doesn't matter what you call it, but we're all talking about the same thing. I think that's really key. Here's a little bit more from doctor vogel's. I mean, it's all the different matches this description perfectly dynamodb.

Step function surf snsns que hacen API Gateway an app sync. She can see in that clip where he was talking about. The fact that I have serverless is not just Lambda Chi Minh. That's obviously a tab in Google contacts is not just Google Cloud functions serverless. Is this design pattern and I think that's a fantastic way to look about at it because it gets you thinking about the value and the business outcome.

What are you trying to do for the business? You're not just building something for building at sacred actually trying to drive value for your business. You're trying to serve a customer need. I think that's the way we need to think about service in the security contact holistically. You don't just have code running in a function in an 1/8 of this land a function you get data sitting over in a database server.

You got an authentication Service a whole bunch of other aspects to this application and a few myopically think about surveillance security being only about functions. You're going to shoot yourself in the foot. And I mean that you know, that sounds kind of aggressive. There's not a lot of noise lately in the security Community around serverless security and I understand it's far easier to say service security is just about securing your AWS Lambda functions about the coat.

That's a part of it. That's an important part of it. But it's only one aspect of source three major pillars around serverless security. So you got functions you got serverless Choice than you got data flow between of those three pillars are where you need to focus if you only focus on one you're not going to have the holistic view of security that you really need and I think that's important to keep in mind again.

You can call it whatever you want. We've had that debate within the service Community for years and I'm not interested in rehashing it. What I do want to call out is that there are really three ways. I see the term service being used now. I fully use it in the context that doctor vogel's did where it's referring to the design pattern, but the more common use and we're seeing this in marketing materials.

Pop up a lot in the security space a lot in the developer tools faced where they're talking about serverless and they're actually talking about functions as a service if you were talking about is your functions. We're talking about Google Cloud functions AWS Lambda and things like open whiskey and they're talking about having your code running in somebody else's ephemeral containers or just execute buy a trigger and then are destroyed or ale I don't tell their required next time within your account.

That's a great server list. But our that's a great service went to see I almost even made a mistake. That's a great service functions as a service but it's not the entire day of service but most common usage. That's what you hear people talk about service and they're really only talking about AWS Lambda Challenge II common uses usual here as an adjectives to describe something as being serverless.

So I in this very keynote that I've quoted here. I'm dr. Voges goes on to talk about or previously had talked about AWS fargate, which is a containers Service as being Serverless, and the reason there is that it is abstracted away all of the attributes that would make it serve.

So yes, there's a bunch of stuff going on to the covers but going back to his four pillars of a definition of service serverless pattern is that in fargate you no longer worry about a provisioning you don't worry about scaling. It'll scale for you. You're only paying for what you use that's highly available by default insecure by default.

So far gate is a serverless container service. So that's being used serverless as an adjective again that adds some confusion of them, but I understand that usage and in the last usage is the one that I hold near and dear which is a noun again talking about serverless as the architectural pattern as the bigger design approach and I think we were talking security you absolutely have to use that definition serverless is an architectural approach.

If you only look at 1 service with in this entire mesh that builds up your application, that's not security. That's a part of security that you got it. For everything else and you have to cover the systematic whole we're not talking about a distributed system and distributed systems security is very different than an individual service or an individual endpoint within that match.

You need to worry about distributed challenges distributor problems of flow of data among those Services how you pick those services and yes the code that's running there. So a little bit of clarity. Hopefully you can use this reference Graphic Edge. Remember those three definitions. It's important to actually stop people and make sure that you were talking about the same thing because even if you don't go with my preferred definition of being the architectural pattern if you were talking about functions as a service and someone you're talking to is I thinking the architectural pattern there's going to be a mismatch there and that's going to lead to security problems communication solve maternity of problems in these instances.

So be sure to make sure you're using the same definitions the people within that conversation. That's the show for today. Let me know what you think. Will how do you service at Mark NCAA? Converse down blown is always by email me at Mark and. CA. I'll talk to you online and we'll see you on the next show.

More than everybody how you doing today in this episode of the show. We're going to talk about serverless. Now a lot of you are probably have heard the term serverless, but I'm quite sure exactly what people are talking about and that's no surprised. There's about three different definitions of the term surrealist that are floating out there and we're going to circle back to all three of those but the primary focus of this video is on what I truly believed to be where we should be focusing our efforts around serverless, and I'm not the only one so I've been talking about service within this context for a few years, but don't take it from me.

Look at this clip from Dr. Verner vogel's the CTO of amazon.com at the AWS Summit in Santa Clara a couple weeks ago, but it's so much more here for the Spider-Man then just learned that long. I was just the last piece that was needed to stay strings together switch it you never had to think about service.

I think the general mobile for sale for this is sweetie that you have no infrastructure to proficient with scales automatically. You only pay for what you've used and the service itself many inches high availability and security for you. So you can see from that short clip. The doctor vocals is really focused on four main areas that Define a serverless architecture or a serverless design.

He talked about not having the provision anything so not having to set up instances set up services head of time. He talked about auto-scaling. So things go up and down the capacities. Just are you no longer have to worry really about capacity management and he talked about value-for-money. So truly only paying for what you're using.

There's no idle compute time. And of course the fourth aspect is being highly available and very secure and that's really the thing. I want to talk about with the security aspect of that because as much as the naming has been a debate and you'll see if you watch that.

Cenote by dr. Vogel you'll see he talks about serve a full and server less and it really doesn't matter what you call it, but we're all talking about the same thing. I think that's really key. Here's a little bit more from doctor vogel's. I mean, it's all the different matches this description perfectly dynamodb.

Step function surf snsns que hacen API Gateway an app sync. She can see in that clip where he was talking about. The fact that I have serverless is not just Lambda Chi Minh. That's obviously a tab in Google contacts is not just Google Cloud functions serverless. Is this design pattern and I think that's a fantastic way to look about at it because it gets you thinking about the value and the business outcome.

What are you trying to do for the business? You're not just building something for building at sacred actually trying to drive value for your business. You're trying to serve a customer need. I think that's the way we need to think about service in the security contact holistically. You don't just have code running in a function in an 1/8 of this land a function you get data sitting over in a database server.

You got an authentication Service a whole bunch of other aspects to this application and a few myopically think about surveillance security being only about functions. You're going to shoot yourself in the foot. And I mean that you know, that sounds kind of aggressive. There's not a lot of noise lately in the security Community around serverless security and I understand it's far easier to say service security is just about securing your AWS Lambda functions about the coat.

That's a part of it. That's an important part of it. But it's only one aspect of source three major pillars around serverless security. So you got functions you got serverless Choice than you got data flow between of those three pillars are where you need to focus if you only focus on one you're not going to have the holistic view of security that you really need and I think that's important to keep in mind again.

You can call it whatever you want. We've had that debate within the service Community for years and I'm not interested in rehashing it. What I do want to call out is that there are really three ways. I see the term service being used now. I fully use it in the context that doctor vogel's did where it's referring to the design pattern, but the more common use and we're seeing this in marketing materials.

Pop up a lot in the security space a lot in the developer tools faced where they're talking about serverless and they're actually talking about functions as a service if you were talking about is your functions. We're talking about Google Cloud functions AWS Lambda and things like open whiskey and they're talking about having your code running in somebody else's ephemeral containers or just execute buy a trigger and then are destroyed or ale I don't tell their required next time within your account.

That's a great server list. But our that's a great service went to see I almost even made a mistake. That's a great service functions as a service but it's not the entire day of service but most common usage. That's what you hear people talk about service and they're really only talking about AWS Lambda Challenge II common uses usual here as an adjectives to describe something as being serverless.

So I in this very keynote that I've quoted here. I'm dr. Voges goes on to talk about or previously had talked about AWS fargate, which is a containers Service as being Serverless, and the reason there is that it is abstracted away all of the attributes that would make it serve.

So yes, there's a bunch of stuff going on to the covers but going back to his four pillars of a definition of service serverless pattern is that in fargate you no longer worry about a provisioning you don't worry about scaling. It'll scale for you. You're only paying for what you use that's highly available by default insecure by default.

So far gate is a serverless container service. So that's being used serverless as an adjective again that adds some confusion of them, but I understand that usage and in the last usage is the one that I hold near and dear which is a noun again talking about serverless as the architectural pattern as the bigger design approach and I think we were talking security you absolutely have to use that definition serverless is an architectural approach.

If you only look at 1 service with in this entire mesh that builds up your application, that's not security. That's a part of security that you got it. For everything else and you have to cover the systematic whole we're not talking about a distributed system and distributed systems security is very different than an individual service or an individual endpoint within that match.

You need to worry about distributed challenges distributor problems of flow of data among those Services how you pick those services and yes the code that's running there. So a little bit of clarity. Hopefully you can use this reference Graphic Edge. Remember those three definitions. It's important to actually stop people and make sure that you were talking about the same thing because even if you don't go with my preferred definition of being the architectural pattern if you were talking about functions as a service and someone you're talking to is I thinking the architectural pattern there's going to be a mismatch there and that's going to lead to security problems communication solve maternity of problems in these instances.

So be sure to make sure you're using the same definitions the people within that conversation. That's the show for today. Let me know what you think. Will how do you service at Mark NCAA? Converse down blown is always by email me at Mark and. CA. I'll talk to you online and we'll see you on the next show.