Podcast Summary: "Going Serverless in Financial Services with Brian McNamara"

Introduction

In the January 7, 2025 episode of Software Engineering Daily titled "Going Serverless in Financial Services with Brian McNamara," host Sean Falconer engages in an in-depth conversation with Brian McNamara, a distinguished engineer at Capital One. The discussion explores Capital One's transition to serverless architecture, the benefits and challenges of adopting serverless in the highly regulated financial sector, governance and security considerations, and future trends in serverless computing.

Brian McNamara’s Role at Capital One

Brian McNamara introduces himself as a distinguished engineer at Capital One, emphasizing his role as a senior individual contributor (IC). His responsibilities revolve around serverless integration and development at scale, both tactically and strategically.

"I'm a distinguished engineer at Capital One. Essentially that's a senior IC role." [01:05]

He collaborates with various teams across the enterprise, including the retail bank, card business, enterprise cybersecurity, and machine learning teams. This cross-functional collaboration allows him to influence how Capital One's large engineering organization approaches business problems with serverless technology.

"I have the opportunity to engage with different teams who are looking to adopt serverless compute, help them run through any outstanding questions." [01:24]

Capital One’s Transition to Serverless Technology

Capital One began its cloud journey in 2014 with a traditional "lift and shift" approach, migrating existing on-premises systems to the cloud. By 2021, Capital One's leadership declared a "serverless first" strategy, prioritizing serverless technologies like AWS Lambda and AWS Fargate for new projects to enhance the developer experience and reduce operational burdens.

"In 2021, we made a declaration that we were going to be a serverless first company." [04:38]

This strategic shift aimed to allow developers to focus more on delivering business value and less on managing infrastructure.

Benefits of Serverless at Capital One

Brian outlines several key advantages of adopting serverless architecture:

1. Reduced Operational Overhead: Serverless eliminates the need to manage server infrastructure, allowing developers to concentrate on writing code and delivering features.

   "Serverless is all about minimizing management cost." [06:02]

2. Scalability and Elasticity: Serverless automatically scales to handle varying levels of traffic, ensuring high availability without manual intervention.

   "You can have compute that scales to really high levels if needed, but can also scale down to zero." [06:08]

3. Maintenance Cost Reduction: With managed services like AWS Lambda, tasks such as patching and ensuring high availability are handled by the cloud provider, reducing maintenance costs.

4. Enhanced Innovation: By offloading infrastructure management, developers can focus on innovative solutions and speed up the development cycle.

   "Letting developers focus on what they do well." [04:31]

Challenges in Migration to Serverless

While the benefits are substantial, migrating to serverless presents unique challenges:

1. Fear, Uncertainty, and Doubt (FUD): Initial skepticism about serverless capabilities, scalability, and suitability for critical applications persists.

   "Plain old fud, you know, fear, uncertainty and doubt." [28:34]

2. Application Decomposition: Migrating requires breaking down monolithic applications into smaller, event-driven functions, which can be complex and time-consuming.

3. Cost Optimization: While serverless can lower total cost of ownership (TCO), improper architecture can lead to higher cloud compute costs. Optimizing both engineering and cloud infrastructure costs is essential.

   "Leadership has looked beyond [...] total cost of ownership, it's not necessarily only cloud cost." [05:35]

4. Observability and Monitoring: Transitioning to serverless demands a disciplined approach to observability since traditional server-based monitoring tools are not applicable.

   "Working in serverless environments forces you to be more disciplined in how you approach observability." [17:11]

Governance and Security in Serverless Environments

Operating within the financial sector, Capital One places a high emphasis on security and compliance. Brian discusses the company’s rigorous processes to ensure that serverless applications meet security standards and comply with regulations. Key strategies include:

• Service Evaluation: Assessing new cloud services for necessary controls before adoption.
• Infrastructure as Code: Utilizing tools like Open Policy Agent (OPA) to enforce compliance and governance policies automatically.
• Supply Chain Security: Vetting new libraries and continuously monitoring for vulnerabilities to secure the application lifecycle.

"We use OPA so that developers can deploy compliant applications." [21:09]

Serverless Center of Excellence

Capital One has established a Serverless Center of Excellence to foster collaboration among developers interested in serverless technologies. This center serves as a platform for sharing best practices, addressing common challenges, and collaborating across different lines of business and support teams, including cybersecurity and developer experience.

"The center of Excellence allows us to group people who have an interest in improving the serverless developer experience." [27:07]

Monitoring and Observability in Serverless

While serverless abstracts away server management, robust monitoring and observability remain crucial. Capital One leverages AWS-provided metrics and custom instrumentation to gain insights into application performance. Tools like AWS Lambda Power Tuner and OpenTelemetry are utilized to optimize performance and ensure visibility into serverless applications.

"Working in serverless environments forces you to be more disciplined in how you approach observability." [17:11]

Cost Management in Serverless

Brian highlights that while serverless can potentially incur higher cloud compute costs, the overall TCO often decreases due to reduced maintenance and operational expenses. He advises rearchitecting applications to fully leverage the strengths of the cloud rather than merely lifting and shifting existing infrastructure to optimize costs.

"Serverless, when compared with an equivalent or an instance based compute, may actually be more expensive. So people often hold up cloud costs as a reason to not consider serverless." [05:24]

Future of Serverless

Looking ahead, Brian anticipates advancements in serverless technology, including:

• Durable Workflows: Enhancing state management for important workloads.
• Software Supply Chain Management: Improving visibility and security across the supply chain.
• Operator Experience: Enhancing operational tools for better application management and observability.

He emphasizes that serverless does not eliminate operational responsibilities but rather shifts them, making observability and understanding application behavior increasingly important.

"Serverless absolutely is ops. It doesn't absolve you from your operational responsibilities." [37:05]

Conclusion

In this insightful episode, Brian McNamara shares Capital One’s comprehensive journey into serverless computing, emphasizing strategic adoption, cost management, robust governance, and security within a highly regulated industry. The conversation highlights the balance between innovation and compliance, illustrating how serverless architecture can drive efficiency and agility in financial services while maintaining stringent security standards.

Notable Quotes

• "We’re serverless first, but we're not serverless only." [29:11]
• "Serverless is all about minimizing management cost. So yes, there are servers in serverless, but you don't have to manage them." [06:02]
• "We need to make sure everything that we deploy conforms with our policies." [20:05]