Serverless and Compliance
The transition to serverless is happening at a rapid pace across industries. This leaves many in a quandary regarding the status of their compliance posture, as many of the regulations companies need to comply with were written around older cloud and on-premises methodologies. The truth is, serverless deployments provide greater opportunities to not only enhance security, but to apply those same compliance requirements on a much more granular level, and in context.
- IAM Policies: As part of most compliance standards (for example PCI-DSS 2.2.2, and HIPAA164.308(a)), requirements are in place to restrict and limit access to applications, especially those where sensitive data resides. With serverless deployments, companies can restrict and limit access beyond the scope of the application itself to the actual functions. For example, with serverless, IAM policies can be automatically generated and enforced that will restrict what resources a function can access, and which actions it can take upon those resources. This eliminates the risk of over-privileged permissions by creating policies that only provide access to the resources that are needed.
- Data Encryption: Whether encrypting personally identifiable information (PII) to comply with HIPAA, or payment card credentials for PCI DSS, serverless is an optimal solution as the data is secured in the database and with an additional layer of granular protection via least privilege access control. For instance, access to the PII is only granted based on the function level encapsulated with additional controls and policies. This ensures that sensitive information cannot be accessed by unauthorized parties and systems.
- Logging and Auditing: Cloud providers have tools, such as Amazon S3, Amazon CloudTrail, and Amazon CloudWatch, that will enable log file integrity for everything accessing the serverless environment and the applications and functions within. These tools allow companies to audit what is accessing the serverless applications and provide greater insights into access behavior. This also allows companies to create granular policies to further restrict access to the serverless applications whether it is for systems or time of day.
- High Availability and Disaster Recovery: Cloud deployments are a great solution when it comes to disaster recovery and high availability in the event that a system goes down or there is a spike in demand. The downfall however is companies have to license those services from those providers, and as a result, pay for the downtime. With serverless, companies can gain the benefits of high availability and disaster recovery, meeting compliance requirements, but only pay for the actual usage.
Compliance and Serverless Security
The shift to serverless provides several key security and compliance opportunities and challenges that organizations need to address and embrace:
- For each function, it is imperative that compliant serverless applications enforce least privilege to ensure that each functions can access only the services and actions it requires. This drastically shrinks the attack surface, and reduces blast radius should an attack occur.
- Traditional applications security tools to meet compliance requirements are not enough in serverless. The move to new protocols and topologies make using and getting value out of a traditional application security tools, like web application firewalls (WAF), challenging. Therefore, it is important to identify cloud-based WAFs that can easily be deployed and scaled.
- Given the sensitive nature of the information within applications with compliance requirements, it’s crucial that serverless security is in place. The optimal solution will not only prevent attacks, but will incur virtually zero overhead for runtime defense. Even an extra 50 milliseconds spent per-request on security can have significant impact on application performance and cost. This may cause an impact on transaction integrity requirements if not chosen wisely.
- There are stringent auditing and logging compliance requirements for companies using public serverless cloud services. Meeting these requirements and enabling proper certification and auditing calls for clear security controls across the entire lifecycle of the application, from development to production.
Protego for Serverless Security Compliance
Protego’s cloud-native application security solution has been built ground-up to take advantage of the security opportunities serverless affords, and to reimagine the way AppSec is done at the speed of serverless. For serverless cloud applications, there are several features of the solution that help make serverless applications far more secure, and compliant, than their serverful counterparts.
- Strict IAM roles from development to runtime- Protego Proact automates the process of posture assurance at dev, CI/CD and production. For regulated industries with compliant requirements for applications, Protego ensures that all functions are running with least privilege while empowering developers to move as fast as they need to.
- Continuous monitoring and active defense- Protego Defend provides a runtime defense solution that has been designed to seamlessly and automatically protect serverless functions, with nearly no overhead in function duration and function resource consumption. This means your IoT security doesn’t come at the cost of performance degradation.
- Scalability and risk assessment- Protego’s solutions easily scale up and down as your applications do, all the while protecting your applications for known and unknown security risks, no matter what input and protocol you’re using.