Co-authored with Pranava Adduri, a founding engineer at Rubrik, a unicorn enterprise Cloud Data Management startup invested in by Greylock, Lightspeed, Khosla, and IVP. The following thoughts summarize our research into the growing Serverless space and an aggregation of the advice we have been giving our VC contacts. They are not intended to be representative of Rubrik.
Firstly, we wanted to clarify several terms.
Serverless: A general computing model that where service providers (SP) (i.e AWS, GCP, Azure, etc..) provide managed resources to customers.
serverless.com / Serverless Framework: A framework for deploying applications in a consistent manner across SPs. This is a framework; it is notan official representation of the Serverless computing model.
FaaS: A form of Serverless computing that allows for the execution of sandboxed stateless functions on managed resources. SP’s include AWS Lambda, Iron.io, GCP Cloud Functions, Azure Functions etc.
Before we dive into the nuances we’ve observed, here were our general takeaways on the space:
(1) There’s no money in competing as a new SP for FaaS (i.e going the PubNub route). The nature of FaaS is that it requires an entire ecosystem of resources (e.g., MQs, DBs, S3 buckets, etc.) to be present. Any new SP will have significant catching up to do.
(2) While FaaS may pique developer curiosities, it’s usually not the correct approach to a problem; given the event-driven nature of FaaS, we anticipate that most relevant workloads will be stream processing.
Using a general VC framework to analyze perspective, let’s analyze the Serverless space in more detail:
Monetization as a new FaaS SP is tricky
Following up to our earlier takeaway that there’s no money competing as a FaaS SP, let’s consider the routes a SP might take: (1) they can choose to deploy their FaaS offering atop their own datacenter, or (2) choose to deploy their FaaS offering atop an existing IaaS provider (mitigating the need to build out your DC). Option 1 would require massive upfront investments. Option 2 has a fundamental flaw with their monetization strategy, as a portion of their profit margin would be directly funneled to the IaaS provider.
An SP would either need a novel pricing scheme or caters to a niche market (e.g., something like an Iron.io billing themselves as high-performance and flexible or PubNub targeting real-time & IoT) to differentiate themselves from existing SPs and garner traction.
FaaS Enablement & Management
Let’s instead look at FaaS enablement. Take serverless.com; they’re the clear leader as far as dev popularity goes (they have the most stars of any GitHub framework for getting started with FaaS on most providers). Similar to an ORM, they provide integrations for all major providers just like an ORM usually interfaces with several different databases. However, even though its framework makes it easier to write applications, I’m not convinced that solely relying on its unified API and open source framework is a sustainable, monetization strategy.
Let’s consider FaaS monitoring. Let’s say you’ve built an app and deployed it to a SP. How do you monitor it? How do you catch errors? Products like iopipe.com have emerged to address this space. Here the monetization strategy is clear; build a monitoring tool , make it easy to integrate and charge for monitoring it; the battle strategy here has been proven time and time again (APM market).
Similar to how some companies are capitalizing on the migration from VMs to containers (think Docker, Mesos, and newcomer Heptio), we see a rise in companies that may be open-source but offer either training or services to migrate from containers to FaaS deployments. However, a clear monetization strategy is yet to evolve from this. However we see an opportunity in tools that will allow companies to integrate their FaaS workloads along with their traditional [IPC]aaS or on-prem deployments. A first stab at this is Event Gateway recently released by serverless.com.
The attack surface for FaaS deployments is quite large, given the multiple entry points an attack could come from. To truly secure FaaS deployments, one needs to have an understanding of the entire function topology.
Consider Vandium: it wraps your functions and examines the inputs to your functions to detect and reject common attack types. However we see Vandium more as a library than a product. For one thing, while it performs function-level checks, it is not aware of the FaaS topology which is crucial for detecting anomalous behavior. To be aware of FaaS topology a product would have to integrate with the FaaS SP.
We see a need for a proper security offering that combines aspects of APM, NPM and SP awareness to provide a comprehensive monitoring solution with security as a first class citizen. Companies will need ways to audit triggers and monitor how frequently functions are getting invoked. Additionally for compliance, companies need a way to certify that their Lambdas meet HIPAA, GDPR.
Recently I had an interesting dinner conversation with a product exec from Qualcomm, who mentioned that 5G will become mainstream in less than 5 years. One of the promises of 5G is to provide connectivity to a wide gamut of low powered devices. As the number of connected devices increases dramatically so will the need to process the information being emitted by them.
The usage of FaaS in stream oriented processing is one of its most natural fits. The two biggest winners from the 5G wave will be companies that offer usage based monitoring and security for FaaS and companies that find ways of scaling edge and core computing. The main reason for the latter is that current technologies that work with streaming data like Apache Kafka , when the workloads become 100x with 5G, will break down given the exponential rise in data sources.
As a fun experiment, take Kafka, stream a million topics to it, and see how it degrades.
As with any investment, the key question is timing. As FaaS as a computing paradigm continues to mature, we will see an evolution of technologies that will support its expansion and maturity. The examples listed above that highlight innovations in deploying FaaS, security & compliance, and the ability to handle streaming data — will comprise the biggest opportunities in Phase I.
If we can execute successfully in maturing FaaS post Phase I, we would be able to capitalize on the myriad of computing platforms, including traditional client-server, containers, and now FaaS — environments that can truly customize to any organization’s development requirements.