Serverless vs. Containers

30 days of cloud Compute Security

Serverless and containers are two of the hottest topics in the software world. They are by no means identical technologies, but in the abstract, they function in similar ways. This article answers those questions by comparing and contrasting serverless and containers.

Key Differences in Security and Management for Serverless vs. Containers

Serverless and containers are two of the hottest topics in the software world. They’re also two technologies that share a lot in common. After all, both are ways to deploy code inside isolated, discrete environments. They are by no means identical technologies, but in the abstract, they function in similar ways.

Much confusion exists about best practices and security management and how they differ between the two. Among the issues to consider, you must decide how to change your architecture strategy when dealing with serverless functions as opposed to containers.

This article answers those questions by comparing and contrasting serverless and containers. We’ll provide an overview of what these two technologies have in common and explain how deployment, management, and security strategies for serverless workloads and containerized workloads compare.

What are Serverless and Containers?

A detailed definition of serverless and containers is not necessarily needed for now, but here are quick definitions:

Serverless – Refers to an architecture in which code is executed on-demand. Serverless workloads are typically in the cloud, but on-premises serverless platforms exist, too.

Containers – Provide portable environments for hosting an application, or parts of an application. The most common container platform today is Docker; although, the containerization concept dates back to the introduction of the chroot call to Unix in the late 1970s.

While serverless functions and containers are designed to meet different needs and are deployed using different tools, they share a lot in common. Here are some examples:

• Both allow you to deploy finite pieces of code and are, therefore, well suited for microservices architectures.
• Both are easy to deploy across distributed architectures. For that reason, you commonly see them being used in the cloud.
• Both spin up quite quickly (usually within a few seconds).
• Both rely heavily on APIs to coordinate their integration with external resources.
• Both do not typically have built-in persistent storage; instead, they rely on external resources for persistent storage needs.
• They are frequently used to build immutable infrastructure (although, strictly speaking, not all serverless or containerized architectures are necessarily immutable).

The list could go on, but these are the essential traits that containers and serverless functions share in common.

How Are Serverless and Containers Similar?

Given the similarities described above, you might think the strategy you use for managing and securing serverless functions can be employed for containers, too. You’d be right—to an extent.

The following are the key components of a software management and security strategy that apply to containers as well as serverless functions.

Dynamic Baselining

In both a containerized environment and a serverless one, there is no such thing as “normal.” Instead, the number of containers or serverless functions running at a given time and the level of communication between them fluctuates constantly. That is why it’s critical to leverage monitoring and security tools that support dynamic baselines, which means they can adjust automatically to recognize anomalous behavior, even in environments that are constantly changing.

Third-Party Dependency Management

It’s common for both containers and serverless functions to import third-party code when they run. For that reason, managing and securing code from upstream sources is critical in both contexts. That means knowing where the code comes from and gaining early awareness of any stability or security problems associated with it, so you can fix the issues before they cause problems.

Access Control

Although serverless functions and containers run inside environments that are relatively isolated from each other and the host server, that isolation is not absolute. A serverless function or container that experiences a performance problem or security breach could affect other resources in undesirable ways. That’s why it’s critical to take advantage of access-control systems to lock down which resources your functions and containers can access. You don’t want a coding flaw or security breach inside your serverless function or containers to lead to massive consumption of cloud resources, for example, or to crash another container or server.

API Testing and Security

Since APIs are so important in the context of both containers and serverless, testing and securing APIs is critical for both types of environments.

How Are Serverless and Containers Different?

In other respects, however, serverless and containers require fundamentally different management and security techniques.

Managing and Securing the Host Environment

• With serverless, end users don’t really need to worry about (or typically have much control over) the host server and operating system on which their functions run. (That’s why it’s called serverless, after all.)
• In contrast, when you use containers, it’s critical to ensure that your containers themselves, the Docker environment, and the host operating system are stable and secure.

Resource Consumption

• The types of workloads that are deployed using serverless functions tend to consume large amounts of resources for short spans of time. What this means from a management and security perspective is that avoiding unnecessary resource consumption or execution time for serverless functions is very important if you want to keep your compute bill manageable.
• Efficiency is important with containers, too, of course, but not quite as much, given that containerized applications or services are usually designed to run for longer periods of time and they may not consume resources constantly.

Cloud Frameworks

• Although serverless functions can be deployed on-premises in certain cases, in most situations today, serverless workloads run in a public cloud using a service like AWS Lambda or Azure Functions. Tools are offered by the cloud service providers, but most companies benefit from third-party solutions.
• Containers can pose the same challenge when you use a cloud-based Containers-as-a-Service platform, but it’s more common to see containers deployed on generic cloud infrastructure or on-premises, where toolset compatibility is less restrictive.

The Bottom Line

In short, containers and serverless are similar in several key respects and the strategies you use to manage them and keep them secure should be similar, too. However, there are some very important differences when it comes to managing and securing certain dimensions of a serverless or containerized workload, such as the extent of the responsibility you bear for the host environment and the tools you can use.

In a simple world, your container and serverless strategies could be identical, but in the real world, you have to factor these variations in when you make a plan for keeping your serverless functions and containers lean, mean, and secure.

Learn more about securing and managing containers and serverless, register to view the on-demand cloud native security summit.