By Hillel Solow, Serverless Security R&D, published January 3, 2020
Whether walking around re:Invent earlier last month or sitting in the sessions, one thing was clear; serverless is here to stay. It is no wonder why, there are many benefits to moving to a serverless architecture – cost, efficiency, agility, velocity, and better security.
The move to serverless has made many things better, some things different, and pretty much nothing has stayed the same. In this article, we will uncover the details regarding serverless security and how the Check Points acquisition of serverless security leader, Protego Labs, addresses these unique differences.
One benefit of moving to a serverless environment is that teams can be confident providers like AWS, Google, and Microsoft, will take care of patching and securing their technology stacks. However, that is where the shared responsibility model transfers, you own what is under the hood within the code. This can be a challenge for security teams as while the threats to serverless applications are in many ways the same, because of the unique architecture, they do not look or act the way they did before.
In serverless architectures, the application code is now broken up into dozens if not hundreds of functions, each needing to be monitored and protected at all times from attacks and loss of control. The ephemeral stateless nature of serverless compute also means that exploits don’t necessarily turn into persistent living threats inside your system since function calls typically have short timeouts. Instead, because of this characteristic, attacks are repetitive, stateless. The attacker leverages an exploit to get in, carry out one stage of the attack, and get out. They repeat this process as many times needed until all stages of the attack chain are complete and the data has been exfiltrated; or all the files have been encrypted.
Because of this attack behavior, serverless defenses need to be less focused on handling the specific events of the attack, but more attuned to the overall pattern of the attack. It’s hard to notice a few thousand extra Lambda calls in AWS, so your security tools need to know how to spot this behavior early and mitigate it before it becomes a serious problem.
This can be a tedious, manual exercise for security teams without the proper tooling because serverless application comprises of dozens or even hundreds of functions, each its own microservice with its own policies, role, API, audit trail, etc. The attack surface also changes –instead of a small number of entry points with lots of functionality hidden behind each one, there are now more entry points, each with a small part of the application behind it. Defending your application now requires thinking about each and every individual entry point. To complicate matters, the triggers that launch your function are varied, so an attack might come at you from any direction. You need to consider all the ways an attacker might directly or indirectly cause your resources to do things you didn’t intend.
Feeling overwhelmed? Don’t. The fact that your application is now structured as a large number of small functions in the cloud provides a fantastic opportunity for security. With serverless, the structure and behavior of your application is visible in the cloud deployment, and security tools for serverless take advantage of the information provided by the providers to achieve higher levels of security, with fewer false-positive and negatives, and less overhead, than could be achieved in the past.
This is where the Protego serverless security solution now comes into play as part of the Check Point CloudGuard Dome9 family. This solution eliminates friction by seamlessly integrating into the serverless application, automating security configuration for each code during CI/CD, and bringing runtime security to the function level. The code-centric approach leverages Deep Code Flow Analysis (DCFA) to evaluate and analyze each function’s code to not only detect issues but provide remediation for security risks such as over permissive IAM roles, vulnerable dependencies, and hardcoded credentials. In addition, the agentless Function Self-Protection detects and stops OWASP Top 10 attacks at the function level, and generates a highly accurate behavioral profile per function for further protection. From a visibility perspective, teams can maintain constant vigilance of function behavior through a comprehensive, security-focused dashboard of the serverless application. They can take further action as alerted, and create custom policies and rules for compliance and security purposes. This means that organizations can move to serverless faster and trust that they have security tooling unique to serverless applications.
Serverless is here to stay, and for organizations trying to keep pace with their customers’ needs, it’s pretty much a must. While the impact on your security process is likely to be more profound than you might have expected, this new offering will create the bridge necessary for the paradigm shift and allow IT teams to maintain control and security while making the leap to the next technology evolution in cloud.