Serverless enables you to shift even more infrastructure management responsibilities to your cloud provider. Serverless architectures provide you the benefit of automated, nearly infinite scaling. Very little stands between developers and deployed code, which speeds time to market and makes it easier to maintain and test individual functions. No infrastructure is involved, and you get it out of the box. Finally, you pay only for what you use, resulting in lower costs.
Offloading these duties significantly decreases operations overhead. And being absolved of additional infrastructure management enables you to focus on developing solutions to serve your organization and customers. As engineering teams shift focus from the tech to business value, you can get more done with fewer people. Serverless can also be used to fill in any gaps in your architecture faster and cheaper than building infrastructure.
For security, the move to serverless makes some things better, while also raising new challenges. In some ways, the nature of serverless improves security. You no longer need to patch servers. The ephemeral, stateless nature of serverless compute makes attackers’ lives harder. And the fact that your application is now structured as a large number of small functions in the cloud enables you to see each unit of compute as a separate entity.
Serverless architecture security becomes easier in many ways and requires a unique, nuanced approach. While some things get better, and others just change, here are the unique challenges for securing serverless apps.
Threats to your apps will persist. They just won’t look and act the same way. Maintaining control and security requires a paradigm shift in your thinking. Defenses need to be less focused on handling the specific event, and more attuned to the overall pattern of these repetitive stateless attacks.
With the advent of new technologies, there’s a recurring trend of forgetting security lessons from the past and climbing a new learning curve. Security tends to start in a delay – too big of a delay. Serverless is no exception. But there’s additional confusion regarding where the responsibility for serverless application security lies.
Unfortunately, the traditional AppSec approach takes time and can slow things down, negating the serverless benefit of rapid feature deployment. Developers can’t possibly keep up with the hyper-accelerated velocity they themselves created if they need to wait on security to open ports, IAM roles, or security groups for them. While security pros don’t want to get in the way of the developers, they still need the ability to control policy and visibility.
The solution to secure serverless apps is close partnership between developers, DevOps, and AppSec. Find the balance where developers don’t own security, but they aren’t absolved from responsibility either. Take steps to make it everyone’s problem. Create cross-functional teams and work towards tight integration between security specialists and development teams. Collaborate so your organization can resolve security risks at the speed of serverless.
Additional serverless security best practices include: