Serverless has been taking the web development world by storm. Many developers opt to pursue serverless functions in new application architectures where a microservice approach would support more traditional containerization. Serverless, however, is still a new technology that continues to grow in both capability and ecosystem.
This article first provides a brief overview of the serverless landscape and discusses the original ideas behind serverless development. The article then delves into the different serverless technologies from AWS Lambda to GCP and Microsoft Azure.
What Is Serverless? Why Does It Matter?
Serverless is in many ways a misnomer, as there is definitely a server involved in each serverless function call. Serverless is an evolution of microservice architectures, applying the concepts of rapid deployment and infrastructure-as-code at the “function” level, providing more granularity than the standard service-level focus. Recognizing this, early versions of what are now called serverless products referred to themselves as function-as-a-service (FaaS) offerings. These FaaS offerings had evolved from similar backend-as-a-service offerings designed to minimize the infrastructure needed to bring an application to market.
The serverless space evolved in response to two needs:
- The ability to find product-market fit very quickly
- The ability to minimize spending on infrastructure as the product evolves
Serverless technology responds to these needs by providing on-demand infrastructure, giving you full availability without the need for an always-on server. This is often achieved through leaning fully into a specific serverless provider, such as Amazon Web Services or Microsoft Azure. Deployment and DevOps are then achieved through third-party tools that aggregate and manipulate the base AWS or Azure resources, allowing developers to support the application as they would a more traditional server-based application.
How Do Serverless Functions Work?
Serverless functionality, whether built on a provider like AWS, Azure, GCP, or locally using OpenFaaS, all rely upon triggers. These triggers are tied to events within the provider’s infrastructure, such as requests to a specific URL, and are intended to integrate seamlessly with the rest of your tech stack. These triggers spawn creation of a function container to handle your request. This removes the need to focus on scalability as you grow while also removing the need for your developers to focus on architecture.
What Are Serverless Security Concerns?
Serverless technology brings significant power and flexibility to a development team, letting them focus on features and functionality instead of infrastructure. This flexibility of serverless applications is not without its risks, though, and it’s important to be aware of the potential security concerns you might encounter before setting foot in the serverless world.
The first security concern you’re likely to run into is simply keeping your security consistent across all of your serverless functions. As standards evolve in your organization, and holes in your security approach are found, you’ll need to propagate the fixes for those holes throughout your entire suite of serverless functions.
On top of the additional complexity due to your application being split among a number of functions, serverless applications face an uphill battle in observability. Logging function activity simply isn’t enough of a signal when troubleshooting issues that are spread across multiple serverless functions. Native tools like CloudWatch start to fail under significant complexity, meaning you will lack visibility as your customers are using your application.
Arising from this is another potential security risk for your application. Security for serverless functions is managed through IAM roles. If these roles have security sets that are too permissive, you can expose your infrastructure to the risk of a rogue function wreaking havoc due to insufficient security restrictions.
This list of security concerns, while not complete, highlights the need to have a dedicated focus on serverless security from the first function you write. Check Point has a number of security solutions that address these core vulnerabilities, while also providing you the automated visibility into your serverless application that you need to deliver value to your users. You can learn more about how Check Point can help with your serverless security here.
A Brief History of Serverless Technology
Serverless technology is an evolution in infrastructure that follows directly from two distinct DevOps trends. The first is thin servers, as implemented in the multiple backend-as-a-service providers like Parse, Backand, and Firebase. Alongside this evolution, deployment technologies were moving away from the standard one-server-per-service model to a model that depended upon containerization—first as virtual machines, then later as deployable containers via Docker.
AWS revolutionized the state of affairs in serverless technology by literally coining the term at re:Invent in 2014. A few months later, the movement solidified, with offerings emerging from Google Cloud and Microsoft Azure that were designed to compete directly with AWS Lambda. As the serverless base technology matured along party lines, third-party tools like Serverless Framework emerged to provide developers with more of a choice.
Within months of the release of AWS Lambda, Google and Microsoft had responded with their own offerings. In the years since, every major cloud provider has responded with their own version of serverless functions, from IBM’s OpenWhisk to Oracle’s Cloud Native Functions. There are also open-source frameworks like OpenFaaS for institutions that need to roll their own infrastructure alongside their development. At the same time, third-party support tools are hitting their stride. Tools like Serverless Framework and Check Point make working with serverless functions a breeze for developers, providing solutions to the critical problems of serverless development.
Challenges with Serverless Technology
While serverless technology offers numerous benefits, there are areas where DevSecOps teams have to rethink their approach. These changes of course fall into three categories:
- Feature development
- User experience
- Infrastructure management
Starting with development and development operations, many of the toolchains supporting serverless development are still evolving. Tools like Azure or AWS’ Serverless Application Model provide support, but comprehensive development suites do not yet fully exist for serverless applications, and this includes security and compliance best practices.
Debugging serverless functions can be a painful experience if you are running into hardware edge cases, and being unable to replicate the hardware used can represent a roadblock. Tracing across multiple function calls is not easily achievable without adding additional load to each request; monitoring for failures is complex due to being unable to establish root causes; and even simple visibility into control flow is challenging to achieve at a comprehensive level.
Complicating matters is the hot/cold nature of serverless technology itself. As containers to execute your function may not exist at the time of the request, there is a small delay while these servers build—referred to as a “cold start.” While individually the impact of a cold start is small (0.1 seconds on average in 2017, though better now), the aggregate impact of small delays can prove significant from a user experience perspective.
Finally, not all triggers are equally replicated across all serverless providers. This requires third-party vendors to step in with solutions and toolchains. While this is not a strict problem in the technical sense, it imposes maintainability and interoperability concerns in that your risk of failure increases with the addition of third-party tools, leaving your application’s success partially out of your hands. Your comfort level with paying for peace of mind will determine the degree to which your organization is impacted, but it is possible to solve many of these integration and development problems with simple fiscal allocation.
Serverless Security Considerations
Deployment of new architecture can present new security concerns. For example, in a serverless environment, where multiple functions are deployed simultaneously, the default is usually to run with the maximum permission levels allowed for one of the functions in the stack. As a result, functions often end up with less secure permissions. In order to optimize efficiency and reduce risk, this paradigm shift must therefore be addressed by the security organization and the DevOps team alike.
Among the key security concerns for organizations running applications on serverless architecture are:
- Managing permissions: The large number of serverless resources that interact with each other requires much more effort to configure correctly. Even if permissions are set correctly during deployment, small server configuration changes could suddenly make your application vulnerable to attacks.
- Loss of the perimeter: Every function is independent and with its own perimeter, rendering traditional filtering solutions ineffective.
- Vulnerable application dependencies: Code is spread out across a much larger set of small services, each of which imports its own set of libraries. This, of course, makes managing vulnerabilities particularly challenging.
- Bad code: With less standing between developers and production, there are fewer opportunities to catch code and configuration errors.
- Denial of service: While you may have negotiated higher limits for your application, because scaling is not infinite, you are still susceptible to denial-of-service attacks if an attacker is able to saturate your limits.
As paradigms shift in web application architecture, this has created a need for a parallel change in serverless security through intelligent automation of security rules and permissions before the functions are even deployed. This approach, combined with scanning functions during development, will enable organizations to offset the likelihood of security issues during runtime.
The Future of Serverless
As has been seen above, third parties have stepped in to fill the gaps in the serverless space in a major way. The inevitable competition will result in both lowered prices and increased functionality offerings, giving organizations more choice in the long term by adding additional flexibility where it was not otherwise present.
Alongside the maturation of third-party tools, new players in the space will allow developers to create further abstraction levels from the root serverless code, increasing the capability to support multiple cloud providers at once. By providing new constructs to represent the ideological concepts of serverless functions, developers will have both a brighter palette to draw from and more comprehensive means of achieving the traceability and discoverability that are current problems in serverless ecosystems.
The biggest growth area, though, is in serverless observability. With the rise of applications built out of a disconnected collection of serverless functions, tracing the control flow in your application has grown in complexity in lockstep. Providers like Check Point have responded to this need by implementing automated monitoring and observability through their CloudGuard software, helping you achieve the visibility you need to keep your serverless application running smoothly.
In addition, given the magnitude of serverless functions deployed, the ability to remediate security and compliance issues based on machine learning, anomaly detection, compliance requirements, and customized rules and regulations is critical. These protocols will not only be monitored and blocked in runtime, but also templatized into CI/CD to aid developers in the secure deployment of their serverless functions-stopping security and compliance issues before they are even deployed.
All of these improvements together will result in faster time to market. This additionally allows for security needs being handled at the development level, allowing security to “shift left” on the application development pipeline.
Moving to a Serverless World
Serverless is rapidly entering a growth phase, making it a hot topic as the underlying tech evolves at a frantic pace. While this has led to challenges that are not present in traditional application environments, serverless development can be a quick boost that results in a rapid improvement in time to market.
By adapting your tool chain to leverage third-party tools like Check Point, you can ride the edge of this wave in web development, gaining all of the benefits with none of the clutter.