Sponsored"> Key Differences in Security, Management for Serverless vs. Containers - The New Stack
Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by Guilherme (Gui) Alvarenga
How GitHub Uses GitHub to Be Productive and Secure
May 31st 2023 10:30am, by Loraine Lawson
Top 3 Application Security Must-Haves
May 26th 2023 7:59am, by Guilherme (Gui) Alvarenga
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Chainguard Improves Security for Its Container Image Registry
May 31st 2023 6:30am, by Steven J. Vaughan-Nichols
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How to Containerize a Python Application with Paketo Buildpacks
May 29th 2023 5:00am, by Sylvain Kalache
Can Rancher Deliver on Making Kubernetes Easy?
May 27th 2023 7:00am, by Jack Wallen
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by Jason Myers
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by Chris J. Preimesberger
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by Susan Hall
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
WithSecure Pours Energy into Making Software More Efficient
Jun 1st 2023 7:14am, by Joe Fay
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
The Architect’s Guide to Storage for AI
Jun 1st 2023 7:44am, by Keith Pijanowski
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by Jennifer Riggins
Raft Native: The Foundation for Streaming Data’s Best Future
May 30th 2023 9:44am, by Doug Flora
Why the Document Model Is More Cost-Efficient Than RDBMS
May 25th 2023 9:24am, by Rick Houlihan
Amazon Aurora vs. Redshift: What You Need to Know
May 25th 2023 6:27am, by Casey Samulski
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
LangChain: The Trendiest Web Framework of 2023, Thanks to AI
Jun 1st 2023 10:57am, by
30 Non-Trivial Ways for Developers to Use GPT-4
Jun 1st 2023 9:39am, by
Bluesky vs. Nostr — Which Should Developers Care About More?
May 30th 2023 7:51am, by
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by
Dev News: A New Rust Release and Chrome 114 Updates
Jun 3rd 2023 9:00am, by
Dev News: New Microsoft Edge Tools and Goodbye Node.js 16
May 27th 2023 6:00am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by
Python and WebAssembly: Elevating Performance for Web Apps
Jun 5th 2023 3:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
Case Study: A WebAssembly Failure, and Lessons Learned
May 25th 2023 7:00am, by
New Image Trends Frontend Developers Should Support
May 25th 2023 6:00am, by
Dell Intros New Edge, Generative AI, Cloud, Zero Trust Prods
May 31st 2023 11:00am, by
Cloud Dependencies Need to Stop F---ing Us When They Go Down
May 25th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Creating an IoT Data Pipeline Using InfluxDB and AWS
Jun 5th 2023 10:25am, by
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by
Bringing AI to the Data Center 
Jun 1st 2023 6:13am, by
8 Real-Time Data Best Practices
Jun 1st 2023 5:00am, by
MongoDB vs. PostgreSQL vs. ScyllaDB: Tractian’s Experience
May 31st 2023 6:10am, by and
API Management Is a Commodity: What’s Next?
Jun 6th 2023 9:59am, by
Meta-Semi Is an AI Algorithm That 'Learns How to Learn Better'
Jun 6th 2023 3:00am, by
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by
Maker Builds a ChatGPT DOS Client for a 1984 Computer
May 31st 2023 11:04am, by
Google’s Generative AI Stack: An In-Depth Analysis
May 31st 2023 7:59am, by
4 Factors to Consider When Choosing a Cloud Native App Platform
Jun 2nd 2023 10:00am, by
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by
Compiled Python Code Used in a New PyPI Attack
Jun 2nd 2023 6:00am, by
Demystifying WebAssembly: What Beginners Need to Know
Jun 2nd 2023 5:35am, by
PyPI Strives to Pull Itself Out of Trouble
Jun 1st 2023 11:43am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
How to Host Your Own Platform as a Product Workshop
May 31st 2023 9:09am, by Jennifer Riggins
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
VeeamON 2023: When Your Nightmare Comes True
Jun 2nd 2023 7:47am, by B. Cameron Gain
The Cedar Programming Language: Authorization Simplified
Jun 2nd 2023 6:07am, by Alex Williams
How to Improve Operational Maturity in an Economic Downturn
May 31st 2023 8:30am, by Jonathan Rende
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
Can DevEx Metrics Drive Developer Productivity?
Jun 7th 2023 3:00am, by Jennifer Riggins
Donald Knuth Asked ChatGPT 20 Questions. What Did We Learn?
Jun 4th 2023 6:00am, by David Cassel
Dealing with Death: Social Networks and Modes of Access
Jun 3rd 2023 6:00am, by David Eastman
Defend Open Source from Trolls: Oppose Patent Rule Changes
Jun 2nd 2023 6:49am, by Michael Dolan
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
SRE vs. DevOps? Successful Platform Engineering Needs Both
Jun 6th 2023 10:53am, by Paige Cruz
The Art of Platform Marketing: You’ve Gotta Sell It
Jun 6th 2023 6:05am, by Michael Coté
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
Open Source Jira Alternative, Plane, Lands
Jun 2nd 2023 9:00am, by Darryl K. Taft
How to Build a DevOps Engineer in Just 6 Months
Jun 1st 2023 10:43am, by Keri Barnett-Howell
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
7 Core Elements of an Internal Developer Platform
Jun 5th 2023 6:41am, by Viktor Farcic
The Need to Roll up Your Sleeves for WebAssembly
Jun 5th 2023 6:00am, by B. Cameron Gain
My Further Adventures (and More Success) with Rancher
Jun 3rd 2023 7:00am, by Jack Wallen
How to Protect Containerized Workloads at Runtime
May 30th 2023 4:00am, by Kevin Casey
How Adobe Uses OpenTelemetry Collector
Jun 5th 2023 10:02am, by Susan Hall
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
Don't Force Containers and Disrupt Workflows
May 25th 2023 3:10pm, by Alex Williams
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
Containers / Serverless

Key Differences in Security, Management for Serverless vs. Containers

erverless functions and containers are two of the hottest topics in the IT world today. They’re also two technologies that share a lot in common — after all, both are ways to deploy code inside isolated, discrete environments. Much confusion exists about best practices and security management and how they differ between serverless and containers. Among the issues to consider, you must decide how to change your architecture strategy when dealing with serverless functions as opposed to containers.This article answers those questions by comparing and contrasting serverless and containers.
Apr 12th, 2019 9:49am by
Featued image for: Key Differences in Security, Management for Serverless vs. Containers
Feature image via Pixabay.

Serverless functions and containers are two of the hottest topics in the IT world today. They’re also two technologies that share a lot in common — after all, both are ways to deploy code inside isolated, discrete environments. They are by no means identical technologies, but in the abstract, they function in similar ways.

And yet.

Much confusion exists about best practices and security management and how they differ between serverless and containers. Among the issues to consider, you must decide how to change your architecture strategy when dealing with serverless functions instead of containers.

This article answers those questions by comparing and contrasting serverless and containers. We’ll provide an overview of what these two technologies have in common and explain how deployment, management, and security strategies for serverless and containerized workloads compare.

What Is Serverless and Containers, and What Do They Have in Common?

Sonya Koptyev
Sonya is the director of evangelism at Twistlock. She has been driving community efforts across various development technologies since the early days of SharePoint and .NET. Sonya worked on building the Office developer community and the Microsoft AI developer community and bringing the latest in bleeding-edge technologies into the hands of developers. As part of Twistlock, Sonya is looking to bring the world of secure cloud native development into the hands of every developer, ensuring that they can make the most of the best cloud native technologies in a secure way.

A detailed definition of serverless computing and containers is beyond the scope of this article. But here are quick definitions:

  1. Serverless computing refers to an architecture in which code is executed on-demand. Serverless workloads are typically in the cloud, but on-premises serverless platforms exist, too;
  2. Containers provide portable environments for hosting an application or parts of an application. The most common container platform today is Docker, although the containerization concept dates back to the introduction of the chroot call to Unix in the late 1970s.

While serverless functions and containers are designed to meet different needs and are deployed using different tools, they share a lot in common:

  • They allow you to deploy finite pieces of code and are therefore well suited for microservices architectures;
  • They are easy to deploy across distributed architectures. For that reason, you commonly see them being used in the cloud;
  • Serverless functions and containers start quite quickly (usually within a few seconds);
  • Both rely heavily on APIs to coordinate their integration with external resources;
  • Both do not typically have built-in persistent storage; instead, they rely on external resources for persistent storage needs;
  • They are frequently used to build immutable infrastructure (although, strictly speaking, not all serverless or containerized architectures are necessarily immutable).

The list could go on, but these are the essential traits that containers and serverless functions share in common.

Managing and Securing Serverless vs. Containers

Given the similarities described above, you might think that the strategy you use for managing and securing serverless functions can be employed for containers, too. You’d be right — to an extent.

Following are the key components of software management and security strategy that apply to containers as well as serverless functions:

  • Dynamic baselining. In both a containerized environment and a serverless one, there is no such thing as “normal.” Instead, the number of containers or serverless functions running at a given time and the level of communication between them fluctuate constantly. That is why it’s critical to leverage monitoring and security tools that support dynamic baselines — meaning they can adjust automatically to recognize anomalous behavior, even in environments that are constantly changing;
  • Third-party dependency management. It’s common for both containers and serverless functions to import third-party code when they run. For that reason, managing and securing code from upstream sources is critical in both contexts. That means knowing where the code comes from and gaining early awareness of any stability or security problems associated with it so that you can fix the issues before they cause problems;
  • Access control. Although serverless functions and containers run inside environments that are relatively isolated from each other and the host server, that isolation is not absolute. A serverless function or container that experiences a performance problem or security breach could affect other resources in undesirable ways. That’s why it’s critical to take advantage of access-control systems to lock down which resources your functions and containers can access. You don’t want a coding flaw or security breach inside your serverless function or containers to lead to massive consumption of cloud resources, for example, or to crash another container or server.;
  • API testing and security. Since APIs are so important in the context of both containers and serverless, testing and securing APIs is critical for both types of environments.

In other respects, however, serverless and containers require fundamentally different management and security techniques:

  • Managing and securing the host environment. With serverless, end-users don’t need to worry about (or typically have much control over) the host server and operating system on which their functions run. (That’s why it’s called serverless, after all.) In contrast, when you use containers, it’s critical to ensure that your containers themselves, the Docker environment, and the host operating system are stable and secure;
  • Resource consumption. The types of workloads that are deployed using serverless functions tend to consume large amounts of resources for short spans of time. What this means from a management and security perspective is that avoiding unnecessary resource consumption or execution time for serverless functions is very important if you want to keep your computing bill manageable. Efficiency is important with containers, too, of course, but not quite as much, given that containerized applications or services are usually designed to run for longer periods of time, and they may not consume resources constantly;
  • Cloud frameworks. Although serverless functions can be deployed on-premises in certain cases, in most situations today, serverless workloads run in a public cloud using a service like AWS Lambda or Azure Functions. That means the number of tools available for managing and securing those functions is somewhat limited. You are stuck with the tools offered by your cloud vendor (which are usually limited in functionality), plus third-party tools that are compatible with the cloud you’re using. Containers can pose the same challenge when you use a cloud-based Containers-as-a-Service platform, but it’s more common to see containers deployed on generic cloud infrastructure or on-premises, where toolset compatibility is less restrictive.

The Bottom Line

In short, containers and serverless are similar in several key respects and the strategies you use to manage them and keep them secure should be similar, too. However, there are some very important differences when it comes to managing and securing certain dimensions of a serverless or containerized workload, such as the extent of the responsibility you bear for the host environment and the tools you can use.

In a simple world, your container and serverless strategies could be identical, but in the real world, you have to factor these variations in when you make a plan for keeping your serverless functions and containers lean, mean and secure.

In this article, we’ve covered only the basics. Visit Twistlock’s resource pages to learn more about the details of container security and serverless security.

Group Created with Sketch.
Sonya is the director of evangelism at Twistlock. She has been driving community efforts across various development technologies since the early days of SharePoint and .NET. Sonya worked on building the Office developer community and the Microsoft AI developer community...
Read more from Sonya Koptyev
SHARE THIS STORY
RELATED STORIES
Bullet-Proofing Your 5G Security Plan 5 Security Principles to Guide Your DevSecOps Journey Do Your Cloud Apps Need a CNAPP? Is Your IaC Template a Route Map for Hackers? Mature Cloud Native Security Improves Developer Efficiency
TNS owner Insight Partners is an investor in: Pragma, Docker.
RELATED STORIES
Bullet-Proofing Your 5G Security Plan 5 Security Principles to Guide Your DevSecOps Journey Do Your Cloud Apps Need a CNAPP? Is Your IaC Template a Route Map for Hackers? Mature Cloud Native Security Improves Developer Efficiency
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.