Companies choose to transition to serverless computing for various reasons; two main reasons including faster time-to-market and reduced infrastructure costs. However, their serverless security requirements differ based on a myriad of factors. One of those factors is compliance. Today we highlight compliance in serverless, with a compliance-driven client. We will showcase their security driver and challenges, their chosen solution, and ultimately, results.
A large multi-national bank had a number of teams building customer-facing applications using serverless-based architectures. Maintaining compliance with both internal and external regulations has always been a priority. With the migration to serverless applications, the security team struggled to keep up with compliance at the accelerated pace of deployment. They were searching for a way to regain visibility and control of the compliance of their applications, without getting in the way of fast deployments.
After searching for a solution that would allow them to quickly implement security into development, and not delay deployments, they identified Protego. The team was able to easily integrate the Protegos Proact solution into their monitoring dashboards and, through a quick integration with their DevOps counterparts, into the applications’ CI/CD pipelines. This allowed for:
- Automatic assessment of security posture including IAM roles, 3rd party dependencies, credential leaks and other vulnerabilities and embedded secrets
- Automatically generate least privilege IAM roles
- Identify security risks across functions, 3rd party libraries and triggers to remediate prior to deployment
- Block deployment if the security posture is not up to standard
Using Protego Proact for compliance in serverless the team was able to regain meaningful visibility of their applications’ security, and where their key risks resided. By integrating Protego’s code-centric security into their build pipelines, they were able to eliminate over-permissioning and other human errors, as well as:
- Save developers time and allow them to focus on innovation
- Save security team time in verifying that security was done right during build
- Provide faster deployment of important features and services while maintaining the highest security standards, keeping customers happy, and their information secure.
The team plans to integrate the Protego Defend runtime protection for continuous security assurance and microsegmentation to provide the highest levels of isolation, all while allowing zero manual configuration, and creation of custom rules and exceptions to address policies and regulations unique to their business.