Serverless Security is more than FaaS Security – Part 1

In the process of onboarding large enterprises, Dome9 ingests massive cloud footprints and has to perform complex analysis across thousands of cloud accounts, regions and VPCs at scale to ensure security and compliance of the cloud infrastructure. A key component we are starting to see in these cloud environments is the emergence of serverless computing, which is mainly being used to reduce computing costs, simplify operations and rapidly scale application deployments for Devops teams.

This blog is part of a series of posts focused on serverless security. In this blog, we will introduce the concept of serverless and explain some of the security challenges associated with this new architecture. In the following posts, we will dive deeper into:

1. Securing S3 buckets

2. Protecting databases and other cache services

3. Securing serverless computing (Lambda functions and API gateway security)

and discuss how Dome9 can help secure these infrastructure related services.

What is Serverless?

Serverless embodies a novel cloud computing model that decouples server and infrastructure level management from the application level development.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/08/serverless-2-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/08/serverless-2-1.png” alt=””]

What this means for the application/cloud architects:

– You don’t control the infrastructure, only the data – According to Gartner, 95% of cloud breaches, are caused due to customer related misconfigurations. In this model developers solely focus on their code and business logic, and let AWS to provision the appropriate resources and enable smooth cloud operations.

– You don’t control the networking, only access control and security settings – It eliminates the hassles involved in implementing, dealing with specific configurations that an application or cloud architect has to traditionally maintain.

Most people think Serverless = Cloud Functions aka Function as a Service (FaaS)which is a shortsighted view. The serverless framework is comprised of not just functions, but also entities such as S3 buckets, Cloudfront, API gateway, RDS etc. As a result, cloud functions need to be thought of in the broader context of the serverless app architecture.

Key Challenges For Serverless Security

Serverless can be a great architectural choice, but it also comes with some security concerns such as:

1. Dynamic and New Environment – The world of serverless is new to everybody, making it very hard to protect. In this highly dynamic environment a life span of a lambda function can be 5 minutes, giving attackers the ability to conduct attacks while flying under the radar.

2. Scale, Scale, Scale – As customers adopt serverless, they tend to have large scale deployments (Dome9 now protects customers with 500K lambda functions or more) Managing security and compliance for such environments at scale can be a nightmare.

3. Poor Visibility – Ephemeral services require deep visibility into security policies as malicious traffic can’t necessarily be detected by traditional SIEM tools. As environments scale, points of attack increases and it is hard to spot malicious activity.

4. Complex Policy Enforcement – As the number of services increases, it results in more permissions that need to be managed and fine tuned. This can get complex applied in a highly dynamic environment across thousands of accounts, functions, buckets etc. 

5. Traditional Perimeters are Dead – Perimeter is no longer established – single API call can cause configuration changes and expose your serverless architecture. There is no place for traditional security tools such as perimeter firewalls or agent based solutions.

The traditional security model where security comes after developers wrote code and built workloads just doesn’t work for serverless. When it comes to security, admins must be more vigilant in securing the services that are the cornerstone of a serverless architecture.

Stay tuned for the next blog in this series where we will dive deeper into securing specific serverless entities.