By: Hillel Sollow, Serverless Security R&D
We talk a lot about the need for a different security paradigm for AWS Lambda Security or Microsoft Azure, and it is easy for these messages to get conflated. However, there are a many good reasons why security teams should be pushing their organizations towards serverless, and not away from it. While many believe serverless frameworks present new security challenges that are hard to deal with, especially manually, the truth is serverless brings forth many security advantages and big opportunities for better security. There are new risks, and organizations should definitely consider new techniques and automated solutions, but if done right, serverless security doesn’t have to be challenging.
Why Do I Need New Serverless Security?
In general, three issues drive your security strategy when implementing serverless security. The first issue involves redefining how you mitigate risk, when the risks seem mostly familiar. In a world where servers don’t exist and there is auto-scaling, knowing where to deploy cloud and application security can be a challenge, but an important factor on risk mitigation.
The second issue involves technology that allows us new opportunities for security that were previously difficult or impossible to implement. Serverless technology is clearly in this category. The fine-grained “nano-service” architecture that most serverless applications follow allows much more tightly applied security policies. The orchestration of resources on the cloud fabric in a visible way also provides a wealth of information that security tools can take advantage of to protect applications.
The third issue is the introduction of new technology which creates new risks that need mitigating. While there are some new types of risks to address in serverless applications, e.g. fragmentation of the perimeter and security orchestration challenges, overall it’s clear that serverless technology introduces less security risk than other technologies.
How Will Moving to Serverless Make Me Secure?
1. Security Gets Better
Remember, despite the name, there are still servers, operating systems and runtimes in the platform. You just don’t have to manage them anymore. In addition, you don’t have to handle their security anymore either. The cloud providers will undoubtedly do a better job than most of us at keeping these parts of the system secured. Moreover, since you no longer need to handle that, you can repurpose the extra time you used to spend on patching OSs doing something else to improve security.
2. The Move to Zero Trust
Perimeter security is less applicable in serverless. On the other hand, I think that the past few years have shown us that the Zero Trust model is a better model for security. The perimeter was never as hermetic as we imagined, and moving to a Zero Trust model for our applications is going to make things even more secure. Much of the work we are doing on application defense at Check Point is around this model and it is going to make application security better.
3. Fine-Grained Serverless Security
We talk a lot about the challenge of getting optimal security configuration when deploying serverless applications. Hundreds of functions means hundreds of IAM roles to craft, and most organizations are not yet taking advantage of this gift. But it is a gift. With the right tools and processes, you can have what we call “shrink wrapped permissions” around each function, allowing that function to access exactly the resources and services it needs and nothing more. With security posture done right, the vast majority of potential attacks on your application are prevented and you can then focus your security energy on defending against the remaining risks.
Often, when talking about if serverless is secure, we talk about the challenges in deploying security without state. But let us not forget that the fact that functions execute for a short period of time, and this makes attackers lives very challenging. If you focus on configuring your function timeouts to be as short as possible, you will actually make many attacks almost impossible. The fact that your functions do not live long will make your application more secure.
So Is It All Roses?
Well, no. Obviously there are inherent risks in doing anything new and unexplored, and you need to get ahead of those risks by learning what works well for your organization. And potential security advantages, like visibility and granularity, are only potential advantages until you use the right tools and create the right workflows to realize those advantages.
But once you do, you will find those applications that you reimagined with Lambda, API Gateway and DynamoDb, that you secured with the right platforms for serverless security, are the most secure applications in your organization.