Waikato Business News April/May 2021
Waikato Business News has for a quarter of a century been the voice of the region’s business community, a business community with a very real commitment to innovation and an ethos of co-operation.
Waikato Business News has for a quarter of a century been the voice of the region’s business community, a business community with a very real commitment to innovation and an ethos of co-operation.
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
28 WAIKATO BUSINESS NEWS <strong>April</strong>/<strong>May</strong> <strong>2021</strong><br />
Is serverless right for you?<br />
By RACHEL PRIMROSE<br />
Serverless. It’s a buzzword. Love ’em<br />
or hate ’em, buzzwords give us crucial<br />
clues into what is trending, and this<br />
one is loaded.<br />
Serverless computing is a<br />
cloud computing model<br />
in which the cloud provider<br />
dynamically allocates<br />
computing resources based<br />
on demand, and where the<br />
provider also administers the<br />
underlying servers on behalf<br />
of its customers.<br />
To some it means “little<br />
to no maintenance”, to others<br />
“cheaper technology infrastructure”.<br />
While both are<br />
true, serverless is by no means<br />
a panacea.<br />
Across all three major<br />
cloud infrastructure providers,<br />
there is no set monthly pricing<br />
for serverless infrastructure.<br />
Pricing is based on how much<br />
resource (generally number<br />
of seconds that code runs,<br />
throughput, and memory) that<br />
each request consumes.<br />
Serverless is not necessarily<br />
going to be cheaper<br />
for code that runs 24/7, but<br />
there are other benefits. You<br />
won’t need a systems administrator<br />
and developers won’t<br />
have to learn how to install,<br />
run, secure and patch a Linux<br />
server (an increasingly rare<br />
skill). Running and maintaining<br />
servers is at a minimum a<br />
monthly maintenance job, and<br />
at worse a drop-everythingall-hands-on-deck<br />
for highrisk<br />
issues such as the recent<br />
security vulnerabilities.<br />
Equally important is the<br />
supporting services. Serverless<br />
workloads have limits,<br />
and don’t always provide<br />
features such as internet<br />
access, traditional storage and<br />
security.<br />
While handled differently<br />
across cloud providers, these<br />
costs are additional to the cost<br />
to run the code written by<br />
your software developers. The<br />
great news though is that compared<br />
to the cost for multiple<br />
virtual machines, container<br />
services or physically hosted<br />
servers, this is generally lower<br />
until you get into extremely<br />
high workloads or if you are<br />
willing to significantly compromise<br />
on performance.<br />
The cloud infrastructure<br />
cost aside, operational costs<br />
for serverless are a success<br />
story but also introduce items<br />
on your risk register. When<br />
you select serverless computing,<br />
the updates to the underlying<br />
hardware, operating<br />
system and base programming<br />
runtime are done for<br />
you. This doesn’t mean that<br />
software maintenance doesn’t<br />
exist – you’ll be informed and<br />
asked by your cloud provider<br />
to upgrade or face the consequences,<br />
which starts with an<br />
inability to release new functionality,<br />
and can end up with<br />
your code ceasing to run.<br />
You have two important<br />
risks to consider. You will be<br />
forced into upgrading platforms<br />
at some point. This will<br />
usually be several years in<br />
the future if your software is<br />
deployed on up to date platforms.<br />
The timing and inescapable<br />
inevitability cannot<br />
be ignored commercially.<br />
The second risk is that you<br />
are effectively outsourcing<br />
your systems administration<br />
to your cloud provider. Professional<br />
consensus is that<br />
due to scale and customer<br />
volume the cloud providers<br />
will do a better job than your<br />
single sysadmin, but this is not<br />
guaranteed.<br />
With risks acknowledged,<br />
we come to the true advantage<br />
in operational expenditure.<br />
There’s no requirement<br />
for a dedicated systems<br />
administrator.<br />
The entire ecosystem<br />
from deployment to maintenance<br />
can be looked after<br />
by your software partner<br />
or developers, with a little<br />
help from your cloud provider<br />
in the form of proactive<br />
notifications.<br />
Another common question<br />
about serverless is the cost<br />
to develop and scale. This is<br />
highly dependent on the languages,<br />
frameworks and type<br />
of problem you’re solving.<br />
Swapping out traditional servers<br />
for serverless solutions<br />
may not give a good solution.<br />
In general, there should be no<br />
additional cost to implement<br />
serverless code, provided that<br />
serverless is the correct technical<br />
fit for the problem.<br />
And finally, onto a good<br />
problem to have: a fast<br />
growing business. In this<br />
area serverless technologies<br />
really shine.<br />
With a support ticket<br />
(and a good explanation),<br />
well designed solutions can<br />
scale from 1,000 concurrent<br />
requests up to 10,000 in<br />
hours. With traditional infrastructure,<br />
building for scale<br />
can be cost prohibitive during<br />
the initial design and build,<br />
whereas serverless solutions<br />
are largely intrinsically scalable.<br />
The key to a successful<br />
serverless implementation<br />
is good architecture. Serverless<br />
should always be considered<br />
in a holistic way,<br />
starting with good technical<br />
fit, but always looking at the<br />
business fit as well.<br />
At Company-X we have<br />
great success passing on<br />
serverless solutions to clients<br />
with feedback that onboarding<br />
time is low due to great<br />
TECH TALK<br />
tooling, the inherent modularisation<br />
that serverless code<br />
and infrastructure provides,<br />
and that the low infrastructure<br />
entry cost has made an agile<br />
approach a reality.<br />
> BY RACHEL PRIMROSE<br />
Rachel Primrose is a software architect at software<br />
development specialist Company-X.<br />
Working from home and copyright rights:<br />
the need for certainty of ownership<br />
In pre-Covid days, if you<br />
created copyright works<br />
such as drawings or<br />
source code as part of your<br />
job, the odds are you would<br />
have done so during ‘normal<br />
office hours’ at your desk<br />
rather than at 9pm in the<br />
comfort of your own home. It<br />
would have been straightforward<br />
to establish who was the<br />
owner of copyright (TOOC)<br />
in those drawings or source<br />
code.<br />
In these Covid-affected<br />
times, however, many officebased<br />
employees now work<br />
flexible hours and work from<br />
home (WFH). Indeed, the<br />
8.30am-5pm day in the office<br />
has almost become a rarity<br />
rather than the norm. As a<br />
result, ascertaining who is the<br />
owner of copyright in drawings<br />
or source code may be a<br />
little harder to discern; or at<br />
least, the topic may be open<br />
for greater debate.<br />
The need then to be sure of<br />
who owns what in an employment<br />
context is perhaps more<br />
INTELLECTUAL PROPERTY ISSUES<br />
> BY BEN CAIN<br />
Ben Cain is a Senior Associate at James & Wells and a Resolution<br />
Institute-accredited mediator. He can be contacted at 07 957 5660<br />
(Hamilton), 07 928 4470 (Tauranga) and benc@jaws.co.nz.<br />
important now than it was in<br />
the old days.<br />
The recent case of Michael<br />
Penhallurick v MD5 Ltd<br />
[<strong>2021</strong>] EWHC 293 in the<br />
Intellectual Property Enterprise<br />
Court in England,<br />
although relating to events<br />
pre-Covid, illustrates this<br />
need.<br />
Penhallurick, a former<br />
employee of MD5, claimed<br />
ownership of copyright in<br />
eight works relating to a<br />
technique he named “Virtual<br />
Forensic Computing”<br />
or “VFC”.* The eight works<br />
comprised different versions<br />
of the software code (literary<br />
works), a graphic user interface<br />
(artistic work) and a user<br />
guide (literary work).<br />
It was established that the<br />
first two works – the earliest<br />
version of the VFC source<br />
code and the object code<br />
compiled from this code –<br />
were created in 2005 and<br />
2006, before Penhallurick<br />
was employed by MD5 in<br />
November 2006. The Court<br />
found these works were not<br />
relevant to Penhallurick’s<br />
claim and consequently<br />
focussed its assessment on<br />
the remaining six works created<br />
by Penhallurick after he<br />
joined MD5.<br />
The Court found Penhallurick<br />
was the author of<br />
the six remaining works and<br />
therefore was the first owner<br />
of copyright in them – unless<br />
any were made in the course<br />
of his employment by MD5<br />
pursuant to the IP clause in<br />
Penhallurick’s employment<br />
agreements, in which case<br />
MD5 was the first owner.<br />
Which of these was the case<br />
turned on the meaning of “in<br />
the course of his employment”.<br />
Why? Because of the<br />
poor wording of the “Job<br />
Titles and Duties” and intellectual<br />
property clauses in<br />
Penhallurick’s first employment<br />
agreement.<br />
The Court ultimately<br />
found that all of the works<br />
had been created by Penhallurick<br />
in the course of<br />
his employment with MD5.<br />
Of particular interest to this<br />
author, and relevance to this<br />
article given the current (and<br />
potentially permanent?) fashion<br />
for working flexible hours<br />
from home, however, is the<br />
Court’s finding in relation to<br />
the third and fourth copyright<br />
works (“VFC Version 1” and<br />
the graphical user interface<br />
(“GUI”) for VFC Version<br />
1) created by Penhallurick<br />
in 2007. In respect of these<br />
works, the Court said:<br />
“[66] … It seems that Mr<br />
Penhallurick took on the task<br />
[of developing VFC Version<br />
1 and GUI] with enthusiasm,<br />
to the extent that he took his<br />
work home some of the time.<br />
His staff annual appraisal of<br />
August 2007 suggests that<br />
much of the work must have<br />
been done during working<br />
hours at MD5. But whatever<br />
the exact proportion done at<br />
home, it does not displace the<br />
strong and primary indication<br />
that it was work done in the<br />
course of his employment.<br />
The fact that an employee<br />
does work at home is relevant<br />
to the question of whether<br />
the work is of a nature to fall<br />
within the scope of the duties<br />
for which he is paid but it<br />
may or may not carry much<br />
weight. Where it is otherwise<br />
clear that the work is of such<br />
a nature, in my view the place<br />
where the employee chooses<br />
to do the work will not generally<br />
make any difference. The<br />
same applies to the ownership<br />
of the tools the employee<br />
chooses to use, here sometimes<br />
Mr Penhallurick's own<br />
computer system. If it is clear<br />
that the employee is being<br />
paid to carry out a task as<br />
agreed with his employer,<br />
he may choose to use tools<br />
supplied by his employer or<br />
his own tools; either way,<br />
the task is carried out in the<br />
course of his employment.”<br />
Although it is not stated,<br />
I am confident the same reasoning<br />
applies to the time of<br />
day the employee chooses<br />
to do the work – that is, it<br />
doesn’t matter whether you<br />
do the work at 10am or 10pm,<br />
if the work is carried out in<br />
the course of your employment<br />
then any copyright<br />
rights in it will be owned by<br />
your employer.<br />
Standing back, Penhallurick’s<br />
case identifies two<br />
important ‘take homes’<br />
for both employers and<br />
employees:<br />
• first, if an employer is<br />
going to make use of copyright<br />
works created by<br />
an employee before that<br />
person is an employee,<br />
then the employer should<br />
have the employee assign<br />
copyright in those works<br />
to the employer at the<br />
same time the employee<br />
becomes an employee.<br />
Alternatively, execute a<br />
licence agreement with the<br />
employee at the same time<br />
the employee becomes an<br />
employee to enable those<br />
works to be lawfully used<br />
by the employer;<br />
• second, the employer<br />
should ensure employment<br />
agreements, but particularly<br />
those with employees<br />
whose job it is to create<br />
intellectual property,<br />
adequately identify an<br />
employee’s role and scope<br />
of duties so that it is clear<br />
what resulting intellectual<br />
property the employer is<br />
laying claim to by virtue<br />
of the employment agreement,<br />
irrespective of what<br />
time of day and where that<br />
intellectual property is<br />
created.<br />
* VFC is a method of retrieving<br />
an image of the hard disk<br />
without writing on it, then<br />
booting up the image on a<br />
virtual machine so that the<br />
image can be investigated.<br />
In developing the technique,<br />
Penhallurick had used a freely<br />
available product called VM<br />
Software to set up the replica<br />
of the target computer’s hardware<br />
and operating system.<br />
As computer programs generally<br />
have inbuilt safeguards<br />
to prevent them from being<br />
manipulated in this way, the<br />
method developed by Penhallurick<br />
involved a password<br />
bypass feature.