By, Hillel Solow, Serverless Security R&D
With no compute, VM, container, or network, serverless computing offers the ultimate reduction in security attack surface. With the recent release of the AWS Lambda Extensions, organizations are closer than ever to heightening visibility and security on deployed serverless functions.
Security is inherently improved with serverless as the attack surface is minimal and several security responsibilities shift to the cloud provider. For instance, AWS is responsible for patching and updating of platform software, including operating system and runtime for AWS Lambda execution environments.
Notwithstanding, companies need to change their security focus in several ways:
- Visibility. The ability to monitor and maintain observability of serverless functions, where they are located, what resources are accessing them, is critical. Knowing what you have and what is going is challenging but invaluable.
- Posture Management. Given the magnitude of functions in deployment, security and compliance posture becomes much more critical and challenging to manage. Serverless applications comprise hundreds or even thousands of microservices and each one must to be configured properly to ensure continuous security and compliance.
- Application Security. The dynamic of a serverless function for running an application is fundamentally different, both stateless and ephemeral. Therefore, organizations need to secure the application layer with those notions in mind- protecting the applications from repetitive, upstream, and infrastructure attacks.
There are several ways serverless attacks are different. Therefore, the approach to security must be addressed. Firstly, attacks are often repetitive meaning that an attack might be difficult to detect if you are looking for a single event and trying to classify it as good or bad. Secondly, attacks manifest across more than a single resource. Identifying and investigating attacks requires analysis of the entire flow of the application, not of a single resource or Lambda function invocation.
The key challenges in protecting serverless applications include:
- Minimizing the attack surface to make attacks more difficult to begin with
- Detecting attacks correctly, despite the challenges mentioned above
- Defending against attacks at the application layer, without crippling serverless functions with untenable security burdens
To address this, Check Point CloudGuard focuses on three critical strategies to defend serverless.
- CloudGuard analyzes serverless applications continually during deployment and production–detecting any gaps in security posture, helping both SecOps and DevOps teams collaborate on remediating posture issues quickly.
- CloudGuard analyzes real-time telemetry from application activity and logs, and isolates security events that require customer attention, collating small events across multiple resources into a single story.
- Finally, CloudGuard uses the detailed data on posture and behavior to compile a highly customized security defense strategy for each part of the application, so that the minimum security overhead is incurred while defending the application.
This approach enhanced further by an intelligent, security, integration with serverless providers, including AWS Lambda.
Recently, AWS Lambda announced a public preview of Lambda Extensions affording enhanced integrations with Check Point CloudGuard to improve monitoring, observability, security, and governance of Lambda functions. With the CloudGuard extension, organizations can plug directly into Lambda’s execution environment and augment functions with CloudGuard, even before the function enters runtime/invocation. CloudGuard can also run in parallel to the function invocation- exposing different stages of Lambda execution and providing additional capabilities to protect against vulnerabilities and exploits.
Check Point CloudGuard has always made it easier for organizations to manage the security of their applications with customized policies, monitoring, and remediation, but with this integration, serverless security becomes even more streamlined behind the scenes. This integration will allow CloudGuard to capture diagnostic information before, during, and after a function invocation, and transfer the information directly from the Lambda environment while hardened security agents then run to detect and alert on function activity directly to CloudGuard.
In summary, Check Point CloudGuard has moved security monitoring data aggregation from the in-process injected security layer, to an out-of-process extension. This helps take advantage of more asynchronous message processing, so function execution is not delayed for log delivery, and allows for the safe aggregation of logs across multiple invocations. All of this is incorporated into the comprehensive CloudGuard solution, which provides a detailed view into the security posture and defense status of the application, and allows security engineers, developers and administrators, to view and act upon each issue or incident.
For each issue or incident, CloudGuard provides clear information on what happened, including the evidence for that event, what the risks are, and what options there are for short and long-term remediation. Giving clear and detailed information to all stakeholders is crucial to ensure that security risks are mitigated as rapidly as possible.