By Hillel Solow, Serverless Security R&D
Serverless enables you to shift even more infrastructure management responsibilities to your cloud provider. Serverless architectures provide you automation and the benefit of experiencing unlimited scale potential. Very little stands between developers and deployed code, which accelerates time to market, while making it easier to maintain and test individual functions. No infrastructure is involved – it comes ready and available, out of the box. Finally, you pay only for what you use, resulting in lower costs.
Offloading these duties significantly decreases operations costs; and being absolved of additional infrastructure management enables you to focus on developing solutions to serve your organization and customers. As development teams shift focus from the tech to business value, you can get more done with fewer people. Serverless can also fill in any gaps in your architecture faster and cheaper than building infrastructure.
Serverless Computing Security Risks
For security, the move to serverless makes some things better, while also raising new challenges. In some ways, the nature of serverless improves security. You no longer need to patch servers. The ephemeral, stateless nature of serverless compute makes attackers’ lives harder. And the fact that your application is now structured as a large number of small functions in the cloud enables you to see each unit of compute as a separate entity.
Serverless architecture security becomes easier in many ways and requires a unique, nuanced approach. While some things get better, and others just change, here are the unique challenges for securing serverless apps.
- Security Visibility
- Difficult to make sense of all of the disparate data
- Many More Points of Attacks, Protocols, & Vectors
- Every function, API and protocol = potential point of attack
- Erosion of The Perimeter
- Serverless apps = a more porous, fragmented boundary
- More Permissions to Manage
- Challenging and time-consuming
- Where to Deploy Security?
- There’s nowhere to put traditional network or perimeter security such as WAF, firewall, and IDS
- More Functions, more changes, equals more risk.
- The ephemeral and fragmented nature of serverless can mean more frequent changes to posture, and more risk management and security auditing requirements.
Threats to your apps will persist. They just will not look and act the same way. Maintaining control and security requires a paradigm shift in your thinking. Defenses need to focus less on handling the specific event and more attuned to the overall pattern of these repetitive stateless attacks.
So, Whose Job is it to Secure Serverless Apps?
With the advent of new technologies, there is a recurring trend of forgetting security lessons from the past and climbing a new learning curve. Right, wrong, or indifferent, developers see the security teams as delayed progress – too big of a delay. Serverless is no exception. However, there is additional confusion regarding where the responsibility for serverless application security lies.
Unfortunately, the traditional AppSec approach takes time and can slow things down, negating the serverless benefit of rapid feature deployment. Developers cannot possibly keep up with the hyper-accelerated velocity they themselves created if they need to wait on security to open ports, IAM roles, or security groups for them. While security pros do not want to get in the way of the developers, they still need the ability to control policy and visibility, but they are challenged as to how to integrate with DevOps to implement security controls without causing a slowdown of the pipeline. This leaves everyone in a quandary.
Why We Must Make Secure Serverless Computing Everyone’s Problem
The solution to secure serverless applications is truly everyone’s problem and requires a close partnership between developers, DevOps, and AppSec. Security teams need to find a balance where developers are trained and empowered to implement security coding best practices: the more automated the better. However, security teams are not absolved from responsibility – security vulnerabilities and issues are their responsibility, and they need to be fixed early in the lifecycle. Help with defining risk of the problem i.e. is this something we can deploy the application with, without introducing risk to the business. Finally, create cross-functional teams and work towards tight integration between security specialists and development teams – collaborate with DevOps so your organization can resolve security risks at the speed of serverless.
I’ll leave you with three best practices to think about:
- Map your app & observe the ongoing flow of information
- Apply perimeter security at the function level
- Craft suitable, minimal roles for each function
If you want to learn more about how you build a secure serverless architecture using Check Point, check our serverless security solution.