Serverless is a new approach to application architecture and deployment. Security becomes both easier and harder, and it is nuanced. In this post, we will go over: what got better, what got more challenging, and what changes
What Got Better
One key point that is worth shouting from the rooftops is that if done right, your application security should improve as you move to serverless. Let us look at some of the things that make your life easier.
#1 Cloud Providers Handle OS & Runtime Security & Patching
For most of us, cloud providers are responsible for the security of system and patching OS system and runtimes. It’s what they do, and they do it well. For most of us, moving this responsibility to the cloud provider is a security plus.
#2 Smaller Microservices = Fine-Grained IAM
If a large container executes many functions, then you have to constrain it to do many things. From a security perspective, this is not ideal. Moving to smaller microservices enables you to do more fine-grained IAM around them all, and you must not carelessly over-permission. Here, you have the opportunity to apply security policies to each of those small things. This can significantly scale down your attack surface, enabling you to move more easily
#3 Stateless/Ephemeral == No Long-Term Resident Injections
Serverless functions run for a few seconds and then die. Containers get recycled. And the fact that serverless functions come and go and have no memory can be a security plus. You no longer have to worry about long-term attacks. Attackers are unable to get in, establish a base, and live for months stealing credit card numbers.
Of course, there are ways for attackers to consider more long-term attacks, such as upstream poisoning, stealing keys to accounts, or finding functions that may enable them to create functions or modify permissions. While long-term attacks can still occur, serverless shifts the focus away from worrying about someone living in your code for years.
#4 More Visibility into App Behavior
In a serverless system, you have made things smaller and put them in the cloud. Therefore, you have more visibility in logs and monitoring tools regarding which functions interact with which, what resources are accessed, how frequently, etc. All that visibility can help substantially with security.
What Got More Challenging
There are, however, some things that are harder, either because the environment changed, or because the technologies we used to use do not apply as well.
Serverless Security Visibility Got Harder
The total amount of associated information and number of resources increases with serverless. This hinders your ability to make sense of all of the data. Obtaining intelligence from the mountains of data is challenging.
If you have ten containers, you can know if they are running or not. Nevertheless, when you have 1,000 functions, it is more difficult to determine if everything is behaving the way it is supposed to. With a billion events in your log every day, it is difficult to know which are important – alert fatigue is hence, exasperated.
Your Surface attack just got bigger: More functions means More Protocols, and more Vectors of attack
Every function is something you must consider as a point of attack. Some are easier for attackers to access than others, but you must consider if an attacker could make each function run when they want or in a way they want.
That is true for protocols as well. Classic web apps have a front door with a load balancer and speak HTTPS. Now you must think about numerous different event triggers, each with their own protocols and JSON structures and different ways people could trigger them.
Erosion of The Perimeter as We Used to See It
In the past, applications had a clear boundary. The outside and inside were distinct, and we could do security at the perimeter. While it is not ideal to have security remain exclusively at the perimeter, it was still possible to “build a wall” through technology products like a Web Application Firewall (WAF)
Serverless apps are more porous and fine-grained. It is more difficult to discover where the perimeter lies. Each function? Each resource? The whole app?
More Resources = More Permissions to Manage
Yes, this is advantageous because it enables more fine-grained permissions. However, instead of governing how ten containers talk to three tables and four buckets, you now have thousands of functions talking to a whole host of resources and each other. It is challenging to determine permissions for all these interactions.
Where Do You Deploy Serverless Security?
It becomes more challenging to determine where to put classic security such as WAF, firewall, and IDS. Placing them in between attackers and resources is not simple to do in serverless environments.
What Things Changed
Finally, some things just changed. They are not better or worse, on balance, but they will leave us hanging if we do not adjust to them. This is the neutral part of the serverless security scorecard:
Attacks and Attackers
Attacks and Attackers will always change whenever platforms and technologies change. Serverless is no different. The goals of the attacks have not changed, but how they accomplish those things may change drastically. Download our eBook, “Serverless Security Primer: Top Risks and How to Mitigate,” for further details.
Application Velocity
Developer agility will increase – as granular changes through functions unfold. This brings forth more frequent DevOps cycles into the cloud, and results in more potential impact to posture management, and creates the need to audit for possible misconfigurations more frequently.
Billing
With serverless, you only pay for what you use. Not paying for idle resources can save money. However, if a security tool will add one second to processing, you must multiply that by all your requests per month.
Cloud Security Is Mostly AppSec
You have ceded control to the platform, and, to a large degree, the network is less relevant. Therefore, much of your security efforts involve securing from the application level.
Additional Serverless Security Resources
Serverless, as a new application architecture, has a new and unique security landscape. The way you protect your applications must change. If you would like to move from understanding how serverless security is different to what to do about it, download our eBook, “Serverless Security Primer: Top Risks and How to Mitigate.”