Tech Bites – Engineering & Product Development
Today’s serverless offerings provide developers with the capabilities to run their applications without being concerned with any infrastructure or administration-related issues. Also known as Event-based, or “Functions as a Service” (FaaS), this implementation option has gained in popularity for several reasons. In this article, we will explore the role of serverless offerings, the value they bring, and explain how you can use serverless to elevate your business.
How Did We Get Here?
Over the years, we’ve progressed from monolithic applications to microservices, to containers, which created the need for orchestration. Now there is serverless, minimizing developers’ dependence on host environments, increasing flexibility, and lowering overhead costs. The evolutionary path of these programs is not rigid, with many development teams skipping the container movement and going straight to serverless. Most applications were migrated to the cloud, while many are newly developed, built with a Cloud-native approach. Teams can often struggle with the complexities of Kubernetes for container orchestration, driving the search for simpler and oftentimes cheaper options depending on the application workload. Not to mention that many engineering team leaders are continuously struggling to find and keep highly-qualified Kubernetes experts.
Public cloud providers began making things more accessible years ago by providing an attractive option for specific workloads. The infrastructure for these workloads is managed by the cloud provider, allowing architects and developers to focus more on building applications for their product or service – the very thing that should be their primary focus. This gives them the speed and agility needed for their product or service to be competitive in the market and distance themselves from their competition.
If you are considering an investment in Serverless, the following are advantages that Serverless architectures can offer:
- Development speed – for quick prototyping and early-stage development, Serverless is an attractive option. I don’t know of any small start-ups who choose implementations that are more complicated unless their specific workload demands it. (which is discussed more in-depth below)
- Simplicity – when the same code for an application CAN be run in multiple ways, usually the easiest one wins. And if the easiest is the cheapest, and possibly the most performant – it wins hands down.
- Hands-off admin – developers specify how many executions they expect they will have and the amount of memory they need, and that is the extent to which they will have to be concerned with scalability.
- Event-based – once you are in the ecosystem of the cloud provider, you can trigger your code to execute based on any number of things. It could be an API request (most common), or a new item in a queue, or new row in a database, etc. This gives developers a powerful capability to create robust applications by simply stitching together various services offered by the cloud provider. While this is an attractive option, be aware that this tends to tie you in more to a specific vendor, so tread carefully here if you prefer more of a cloud-agnostic approach.
- Cost – the “pay-for-what-you-use” model applies here through a per-execution charge. Cloud providers document the formula for costs and provide tools that help predict the monthly cost. Nobody likes surprises on monthly bills. The cost per execution is so low that most workloads would benefit from this model. Especially when considering an alternative “always-on” model in which you are billed hourly for computing capability regardless of workload activity.
- Pick a cloud, any cloud – once considered a limited offering through a select few cloud providers, serverless capabilities are now available across all providers. If you already have a significant investment in a particular cloud provider, they have you covered as you venture into the serverless world.
Candidate Workloads for Serverless
Not all workloads are right for utilizing the serverless approach.The following are five workload scenarios whose application makes them a good candidate for Serverless.
- Doesn’t execute excessively – per instance cost of executions is low, but as the number of executions increases, you may be better off running on a compute infrastructure, especially if cost reduction is a high priority.
- Finish quickly – apps that require a few seconds response time are good candidates. Most web apps would fall into this category where an API endpoint triggers a workload, does something with the database and returns a return code. Some cloud providers allow up to 15 minutes per execution as the maximum execution time. Others offer less, so be aware that your monthly costs will rise rapidly, the longer your executions take.
- Are event triggered – as described earlier, workloads triggered by events are great candidates for this approach.
- Are stateless – these workloads are ephemeral so the workloads need to be stateless to support this model. This is the foundation for high scalability whether using a serverless implementation or not (containers/Kubernetes).
- Have a small footprint – some applications are not ideal candidates based on their architecture and application footprint. This includes game servers that require massive server side footprint and compute capabilities, and are not built based on microservices.
What about vendor lock-in?
There are ways you can mitigate vendor lock-in concerns, which we will explore in-depth in our next Serverless article. We will demonstrate the same exact serverless code working in multiple cloud provider offerings. There is a trade-off between total flexibility (no vendor lock-in) and development speed and agility, and where you run your code is just one design decision in the overall technical architecture. If your application needs to run in multiple cloud providers and maybe even on prem, then different solutions would be in order. For instance, instead of using a cloud provider’s queueing service, you could consider implementing an open source equivalent and managing it yourself. While this does give you the portability to run anywhere, it creates more challenges specifically around deployment, management and administration, all of which will slow you down.
I recommend to evaluate the lock-in factor for each major component in the architecture and ask the following two questions:
- How much does this lock us in?
- Do we care?
Answers to these questions will help you determine the best course of action.
The serverless option is not perfect. However, it’s finally getting the attention it deserves, and it’s improving daily. Instead of asking ourselves, “what apps would we run on serverless?”, the question now becomes, “which ones would we not run this way?” Developers can now focus on building game-changing applications in record time and not worry about the infrastructure and administration required to run them. Sure sounds like a win-win. If you have questions or comments about this Serverless article or would like to speak with one of our architects directly about serverless implementation, please fill out the form and we will respond.
About Dave Moore
Dave Moore is GAP’s Chief Innovation Officer. He is a seasoned technology executive with more than 25 years of experience in conceptualization and crafting innovative solutions that provide scalability, widespread end-user adoption, and substantially increased revenue. Dave’s experience has given him unique insight into building diverse teams, and expert knowledge of microservices, Serverless, cloud optimization, CI/CD, security, big data and open-source technologies. You can connect with Dave on LinkedIn, or send him an email.
The cost of a data breach in 2019 came out to an average of $3.9 million. The U.S. proved to be the most expensive country, and healthcare was the most costly industry according to the IBM Cost of a Data Breach Report. Protecting company and customer data remains top priority for security professionals and 2020 will be no exception. Here are my predictions for how data privacy will shape the new year.
With Data Privacy Day upon us, it is the perfect time to forecast impending threats and share some security best practices to get professionals on the right track. Millions of people are unaware and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to spark that dialogue and empower individuals and companies to take action when it comes to their private information.
Data Privacy Day is an international effort to empower individuals and businesses to respect privacy, safeguard data, and enable trust. Unfortunately, the threats are coming, and they will not be any less intense, complex or difficult to manage in 2020. In fact, I would expect the opposite. Your security will truly depend on how your organization takes advantage of the knowledge and expert assistance available to safeguard your critical infrastructure.
Here are 10 predictions on data privacy in 2020:
#1 Wide-Spread Regulations Will Take Hold
In 2018 the General Data Protection Regulations (GDPR) was enacted into EU law. GDPR is a regulation covering data protection and privacy in the European Union and the European Economic Area. It addresses the transfer of personal data outside the EU and EEA areas. Since then, many companies within the United States have updated their policies on data privacy to comply, as well.
In addition to the GDPR regulations, the California Consumer Privacy Act (CCPA) was created in 2018 and went into effect on January 1, 2020. The CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California.
All companies that serve California residents and have at least $25 million in annual revenue must comply with the CCPA law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under this law.
While new regulations may not go into effect in 2020, they will be in the works. In fact, many organizations that are not required to comply with GDPR or CCPA are taking actions to do so regardless. I expect more and more states to jump onto California’s bandwagon and pass state-level consumer privacy acts of their own. In 2020, experts are anticipating that over 10 states will enact similar laws to the CCPA.
Gaining customer trust is a tricky process, but losing it is simple. Leaving the security of customers’ personal data up to chance is not an option. There are many security options available to help protect you against breaches.
Security Recommendation: If you are not currently required to comply with either consumer privacy regulation, get ahead of the game and start the process early. There is no downside to being overly secure, compliant, and safe. Gain the trust of your customers, prospects, and partners by staying in front of the competition and evolving regulations.
#2 Ransomware will Target Cloud
According to a report by EMSISOFT, the combined costs of 2019’s ransomware incidents could be in excess of $7.5 billion. While they believe this overstates the actual costs (a small school district’s recovery expenses are unlikely to run to seven figures), it nonetheless provides an indication of the enormous financial impact of these incidents.
As ransomware continues to benefit cyber criminals, it will continue to evolve in order to maximize profits. In 2020, ransomware will turn its focus on the cloud.
Recently, untargeted ransomware attacks have plateaued, with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.
As these industries and businesses move their important workloads to the cloud, ransomware will follow. It will start to target cloud-based assets including virtual environments.
Security Recommendation: Do not run from the cloud. Rather, find a cloud service provider with the proper security controls in place. Use advanced malware protection to detect evasive malware. Not all cloud services will fit your business needs. Hybrid cloud deployments are growing in popularity, and for good reason. In fact, Gartner Group reported that 90 percent of enterprises will operate some form on hybrid cloud by 2020.
#3 A Shortage of Skilled Workers Worsens
According to the State of Cybersecurity Hiring, cybersecurity jobs account for 13 percent of all information technology jobs. Yet, on average cybersecurity jobs take 20 percent longer to fill than any other IT job, even though they pay well.
The issue? Educational institutions are not producing enough qualified candidates to fill the demand for new information security employees.
Not a day goes by where we do not hear of some new data breach or attack. Meanwhile, consumers are becoming more and more aware of how their personal data privacy contributes to their own security. As a result, the demand for cybersecurity professionals is at an all-time high.
Unfortunately, according to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. I do not see the skill gap lessening in 2020. In fact, as attacks get more advanced, I foresee that skill gap widening.
Cybersecurity is a specialty, but most of the workers who practice it are not specialists. In many organizations, cybersecurity is a task built into other IT jobs, like network administrators. Overall, these “cyber-enabled” jobs form the majority (56 percent) of all cybersecurity-related openings, reported the State of Cybersecurity Hiring.
Security Recommendation: While certifications are crucial, there are too many jobs open and not enough certified workers. Employers may benefit from removing the upfront certification requirements. Instead of finding the perfect professional right out of the gate, make a commitment to ongoing education and training to foster growth with a good candidate.
Help newer professionals master the basics, then provide them with opportunities for advanced certification programs. Offer incentives for those working learners who present a strong possibility of bringing new energy into the IT security workforce.
#4. Multi-Factor Authentication Becomes the Standard
Multi-factor authentication has evolved to become one of the single most effective controls to insulate an organization against remote attacks. When implemented correctly, it can prevent most threat actors from easily gaining an initial foothold into an organization, even if credentials become compromised.
In the past, many organizations opted out of multi-factor authentication because it was cumbersome, but recently multi-factor authentication programs have simplified with cloud-only options. I believe that app-based multi-factor authentication is here to stay.
The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors.
Security Recommendation: If you have not already implemented multi-factor authentication throughout your organization, do so immediately. Everything from logging into a computer to accessing resources from the cloud should have some sort of multi-factor authentication tied to it.
#5 More Breaches will Happen Outside the Corporate Network
While many offices are allowing their employees to work remotely when it comes to increasing productivity and reducing burnout. With that comes a set of security risks to address before letting staff go completely mobile.
Mobile device usage for work and remote employees has been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90 percent of mid-market businesses have employees working half their week outside the office.
Many times, when employees work outside the corporate network, they lack network security, missing out on an important part of a layered security defense. I predict that we will see a rise in data breaches that involve remote workers, mobile devices, and off-premises assets.
Security Recommendations: Before implementing a remote workplace, create diligent off-network protections for your employees. Any work device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication (among other protections).
#6 IoT Device Vulnerability
Securing IoT networks from an attack is essential but is full of significant challenges. Many IoT devices are online 24/7 and have significant bandwidth available, making them attractive targets for Distributed Denial of Service (DDoS) botnets. Hackers can also use them as stepping-stones to compromise an enterprise or home networks utilizing their backend connectivity.
As 5G becomes a reality, billions of humans and trillions of machines can take advantage of enhanced mobile broadband. Everyone from businesses to individuals will face technical challenges when it comes to keeping their data secure and managing their IoT devices.
Security Recommendation: Most mobile devices do not allow the users to disable cellular to Wi-Fi handover, or Hotspot 2.0. Windows 10 currently does, however. If unsure, individuals should use a VPN on their cellular devices so that attackers would not be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at http://trustedwirelessenvironment.com.
#7 Security Budgets Will Increase
In the new year, businesses will significantly increase spending on cybersecurity. The big challenge is ensuring that the spending focuses on the right areas. Despite the record amount of money spent on cyber defenses worldwide, we will continue to see an uptick in data attacks and breaches. If funding is spent strategically, risk will be dramatically reduced. Unfortunately, the past as shown us that budgets are rarely spent in a beneficial way.
Security Recommendation: Rather than increasing a security budget for the sake of throwing money at an issue, get strategic on how your organization specifically needs security. Map out vulnerabilities that you face and vet out the appropriate vendors that have the security and compliance certifications and capabilities to reduce risk on your behalf.
#8 Enterprises Will Enforce Employee Security Training
Security training allows organizations to influence behavior, mitigate risk, and ensure compliance. There are countless benefits of initiating security awareness training within a company. In 2020 there will be an increased effort to enforce regular employee security awareness training to combat phishing and social engineering attempts.
Willis Towers Watson found that about 90 percent of cyber claims stemmed from some sort of human behavior or error. If a program is implemented to teach them about common scams, such as email attachments that contain malware or phishing emails that steal personal information, they are much less likely to accidentally click links or open files.
Security Recommendation: If your organization does not already, implement ongoing security awareness training. By providing mandatory education, employees are far less likely to click on a malicious link or share intellectual property with a cybercriminal using social engineering to gain access to confidential information.
#9 Malware Attacks on Medical Devices will Threaten Healthcare Security
There is an emerging trend of ransomware attacks on medical devices, creating serious vulnerabilities in healthcare security. While these attacks have mostly been under the radar, and are few and far between to date, we can expect an uptick in these highly targeted attacks in 2020.
Within the next five years, 44 percent of medical technology companies surveyed by Deloitte predict that all their devices will connect through IoT. This shift is creating a dangerous new attack surface. Despite the growing threat to medical devices, most U.S. healthcare providers still lack a documented strategy for protecting them. This lack of planning ensures that this will be a trending cyber threat in 2020.
Security Recommendation: HIPAA regulations especially the HIPAA Security Rule, provides cybersecurity guidance but does not constitute a set of comprehensive standards or IoT device rules. Start by auditing existing IoT policies for medical devices with a wide cybersecurity lens. In addition to a formalized policy, create processes and invest in solutions to improve compliance and overall security. You can learn more about protecting your IoT and Bring Your Own Devices (BYOD) here.
#10 Business Email Compromise (BEC) will Be a Top Threat Actor
Bad actors have used BEC for a considerable amount of time. Based on what we have seen in 2019 this has taken a step up in terms of complexity and profitability. According to Forrester estimated exposed losses due to business email compromise between 2016 and 2019 totaled $26 billion. We should expect that BEC will become even more profitable than ransomware.
Historically BEC has been aimed at getting users to unknowingly install malware to allow bad actors to gain access to networks to gather data. More recently it has been about creating plausible changes to payments.
Security Recommendation: To combat against these attacks, implement ongoing security training for your staff. Like security recommendation number eight, it is important that your staff is aware of the different types of malicious events they may receive. Warning them against what to open and what to send to security is top priority.
Get Ahead of the Risk with LightEdge
From secure and always on colocation to the compliance, control, and flexibility of cloud, LightEdge has you covered.
With over 20 years in business, LightEdge offers a full stack of best-in-class IT services to provide flexibility, security, and control for any stage of a customer’s technology roadmap. Our solutions include premier colocation across seven purpose-built data centers, industry-leading private Infrastructure as a Service (IaaS) and cloud platforms, and the top global security and compliance measures.
Our owned and operated facilities, integrated disaster recovery solutions, and premium cloud choices make up a true Hybrid Solution Center model. LightEdge’s highly-interconnected data center facilities now span Des Moines, IA, Kansas City, MO, Omaha, NE, Austin, TX and Raleigh, NC.
This article outlines the most important technical and design factors to be aware of when building custom software for use in a B2B context.
Building custom software for B2B companies is often vastly different from building digital products meant to assist B2C companies or be sold directly to the consumer. That’s because B2B companies build complex business procedures around the unique ways they serve their customers.
While B2C companies generally serve a mass market with relatively standardized, transactional products and services, B2B companies serve a much smaller number of customers. This means that each customer a B2B company serves represents a greater share of total revenue than the individual customers served by B2C companies.
This difference in relative market power forces B2B companies to compete for clients by offering greater customization and tailored service. For example, a building supply chain may give each contractor it serves bulk pricing and credit terms while expecting its DIY clients to routinely pay full price in cash. That’s because each contractor provides more revenue for the building supply chain than do the DIY-ers.
By catering to contractors, the building supply chain can make more money, but at a cost. Their business operations will become more complex due to the customized attention offered to their B2B customers.
The building supply chain is just one example of how intensive B2B services can translate into unique demands on a business. It can be difficult for a B2B business to scale when each client requires individualized attention. That’s where technology comes in. When designed with these customer needs in mind, custom software can help B2B companies deepen their capacity to serve more clients without having to add to their sales and support staff.
>> To win as a B2B service-based business, you’ve got to move faster and know more. What’s stopping you? Discover breakthrough with custom software development.
Unless a software product is customized to fit the real needs of a B2B business, it may end up making problems, rather than solving problems for the company. With that in mind, here are six technical and design factors product designers and developers should take into account when building custom software for the B2B context:
- Include Power Features
People using B2B software will often be completing more complex tasks than B2C app users. So, when building custom software for the B2B context, find ways to simplify user involvement. Think through power features such as keyboard-driven access (versus tap or click) for data entry, multiple selection processing, customized dashboard views, advanced search and filter options, and robust data import and export options.
These advanced features may be overkill, even detrimental, in a B2C context, like when a user checks their bank statements online. But in a B2B context — for example, a corporate accountant managing a complex set of books — power features are essential.
- Study Context of Use
People occasionally use B2C applications in abnormal contexts, such as using a fitness tracker while exercising. In comparison, B2B applications are routinely used in a wide variety of unexpected, high-pressure contexts. For B2B end users, money and reputation are at risk as they engage with a software product. Ensuring a design works in the context of daily activity is non-negotiable for a B2B application.
At Praxent, we’ve built custom software applications for a variety of B2B businesses. Many of them were designed for on-the-job use outside the traditional office setting. For instance, one application we designed was for use by medical staff as they rushed between hospital rooms. Another app we designed was meant to assist workers inspecting dark, above-ground oil tanks. We designed an app for consultants who spend a lot of time working on cramped airplanes, and we even built one for veterinarians who often use the app as they stand in a cow pasture in the middle of the night. Each of these extreme contexts of use had incredibly important implications for the design and functionality of the software we created.
Context of use affects every aspect of user demand on your software application, from what types of technology should support the app, to how the user interface should appear. It’s impossible to successfully design software for B2B circumstances in an air-conditioned conference room. Get out of the office and observe end users in their work environments. Then design based on what will make their lives easier.
>> How to Conduct Practical User Research (Without Spending Thousands)
- Ease Access to Human Support
B2B customers expect more individualized attention from their technology providers. While completely self-service technology may be a valid goal for B2C products, that is not the case for B2B. While B2B customers do expect to be able to conduct business after hours without needing to call for help, they also expect to get help immediately if the technology fails to deliver.
Plan in advance for B2B end users to contact customer support or their assigned account manager if they get stuck using a software product. Consider embedding chat, text, call, or help desk functionality directly within the product to save end users the time of switching contexts to reach technical support.
- Plan for Heightened Security and Privacy
While security and privacy are essential for any technology product, expect B2B customers to be more concerned with how their data is protected than the average consumer. In practice, this could mean offering on-premise hosting, ensuring all data is encrypted in motion and at rest, conducting regular security audits and penetration testing, and implementing strict access control and disaster recovery procedures.
- Invest in Software Engineering Best Practices
It would be silly to apply the same structural engineering practices when building a dog house as you would when building a skyscraper. Similarly, the amount of care taken to enforce software engineering best practices when building a new digital product should be commensurate with the corresponding complexity and size of the product investment.
B2B products tend to be an order of magnitude more complex than B2C products; therefore, they require more rigorous attention to best practice. To ensure smooth delivery to your client, consider investing developer time into creating:
- Repeatable DevOps processes
- Robust automated test frameworks
- Redundant, horizontally-scalable hosting environments
- Clean-up sprints to optimize code and pay down technical debt as it accumulates
- Design for Multiple Roles and Complex Workflows
B2B applications tend to have a range of user types. Multiple employees with various responsibilities and very different levels of authority will be accessing the same custom software application.
Custom software for B2B companies needs to allow for complex, configurable workflows and differing levels of data access. Consider the following features when designing for multiple roles and complex workflows:
- Single Sign-On capabilities
- Configurable role-based access control
- Hierarchical data access that mirrors a customer’s organizational structure
- Queue-based system for task management (This type of system emulates the physical inboxes that enabled corporate collaboration before the rise of computers.)
Custom Software that Becomes a Competitive Advantage
The software B2B companies use to run their businesses must facilitate financial growth by making the most of their customized business offerings. Digital product designers and developers can offer B2B companies the tools to not only do business faster, but entirely disrupt the way their industries operate.
That being said, B2B custom software is a huge investment. Building a digital product that not only serves your client’s business goals, but is also delivered on budget and on time requires strong development process, hands-on user research, personal and consistent communication, and expert designers and engineers who excel at creative problem-solving.
About Kevin Hurwitz
With more than fifteen years of experience delivering business software solutions for more than 150 organizations, Kevin carries the responsibility of delivering innovative web and mobile-based software solutions at Praxent. He provides strategic and technical oversight to all client engagements to ensure quality development and exemplary client experiences.
Praxent is a digital innovation agency. Our team of US-based digital strategists, UX designers, and software developers works nationwide, converging at our home base in Austin, Texas. Our passion is to transform processes, enhance experiences, and empower people for B2B businesses who want to win. We help our clients unlock potential and fuel growth with effortless user experiences and strategic technology tools.