Serverless Architecture = What Cloud Should Be
Serverless enables you to shift even more infrastructure management responsibilities to your cloud provider. Serverless architectures provide you the benefit of automated, nearly infinite scaling. Very little stands between developers and deployed code, which speeds time to market and makes it easier to maintain and test individual functions. No infrastructure is involved, and you get it out of the box. Finally, you pay only for what you use, resulting in lower costs.
Offloading these duties significantly decreases operations overhead. And being absolved of additional infrastructure management enables you to focus on developing solutions to serve your organization and customers. As engineering teams shift focus from the tech to business value, you can get more done with fewer people. Serverless can also be used to fill in any gaps in your architecture faster and cheaper than building infrastructure.
Serverless Computing Security Risks
For security, the move to serverless makes some things better, while also raising new challenges. In some ways, the nature of serverless improves security. You no longer need to patch servers. The ephemeral, stateless nature of serverless compute makes attackers’ lives harder. And the fact that your application is now structured as a large number of small functions in the cloud enables you to see each unit of compute as a separate entity.
Serverless architecture security becomes easier in many ways and requires a unique, nuanced approach. While some things get better, and others just change, here are the unique challenges for securing serverless apps.
- Security Visibility
- Difficult to make sense of all of the data
- Many More Points of Attacks, Protocols, & Vectors
- Every function and protocol = potential point of attack
- Erosion of The Perimeter
- Serverless apps = more porous, lack a clear boundary
- More Permissions to Manage
- Challenging and time-consuming
- Where to Deploy Security?
- There’s nowhere to put classic security such as WAF, firewall, and IDS
Threats to your apps will persist. They just won’t look and act the same way. Maintaining control and security requires a paradigm shift in your thinking. Defenses need to be less focused on handling the specific event, and more attuned to the overall pattern of these repetitive stateless attacks.
So, Whose Job is It to Secure Serverless Apps?
With the advent of new technologies, there’s a recurring trend of forgetting security lessons from the past and climbing a new learning curve. Security tends to start in a delay – too big of a delay. Serverless is no exception. But there’s additional confusion regarding where the responsibility for serverless application security lies.
Unfortunately, the traditional AppSec approach takes time and can slow things down, negating the serverless benefit of rapid feature deployment. Developers can’t possibly keep up with the hyper-accelerated velocity they themselves created if they need to wait on security to open ports, IAM roles, or security groups for them. While security pros don’t want to get in the way of the developers, they still need the ability to control policy and visibility.
Why We Must Make Secure Serverless Computing Everyone’s Problem
The solution to secure serverless apps is a close partnership between developers, DevOps, and AppSec. Find the balance where developers don’t own security, but they aren’t absolved from responsibility either. Take steps to make it everyone’s problem. Create cross-functional teams and work towards tight integration between security specialists and development teams. Collaborate so your organization can resolve security risks at the speed of serverless.
Additional serverless security best practices include:
- Map your app & observe the ongoing flow of information
- Apply perimeter security at the function level
- Craft suitable, minimal roles for each function