Serverless and Compliance

The transition to serverless is happening at a rapid pace across industries. This leaves many in a quandary regarding the status of their compliance posture, as many of the regulations companies need to comply with were written around older cloud and on-premises methodologies. The truth is, serverless deployments provide greater opportunities to not only enhance security, but to apply those same compliance requirements on a much more granular level, and in context.

    1. IAM Policies: As part of most compliance standards (for example PCI-DSS 2.2.2, and HIPAA164.308(a)), requirements are in place to restrict and limit access to applications, especially those where sensitive data resides. With serverless deployments, companies can restrict and limit access beyond the scope of the application itself to the actual functions. For example, with serverless, IAM policies can be automatically generated and enforced that will restrict what resources a function can access, and which actions it can take upon those resources. This eliminates the risk of over-privileged permissions by creating policies that only provide access to the resources that are needed.
    2. Data Encryption: Whether encrypting personally identifiable information (PII) to comply with HIPAA, or payment card credentials for PCI DSS, serverless is an optimal solution as the data is secured in the database and with an additional layer of granular protection via least privilege access control. For instance, access to the PII is only granted based on the function level encapsulated with additional controls and policies. This ensures that sensitive information cannot be accessed by unauthorized parties and systems.
    3. Logging and Auditing: Cloud providers have tools, such as Amazon S3, Amazon CloudTrail, and Amazon CloudWatch, that will enable log file integrity for everything accessing the serverless environment and the applications and functions within. These tools allow companies to audit what is accessing the serverless applications and provide greater insights into access behavior. This also allows companies to create granular policies to further restrict access to the serverless applications whether it is for systems or time of day. 
    4. High Availability and Disaster Recovery: Cloud deployments are a great solution when it comes to disaster recovery and high availability in the event that a system goes down or there is a spike in demand. The downfall however is companies have to license those services from those providers, and as a result, pay for the downtime. With serverless, companies can gain the benefits of high availability and disaster recovery, meeting compliance requirements, but only pay for the actual usage.

Protego for Serverless Security Compliance

Protego’s cloud-native application security solution has been built ground-up to take advantage of the security opportunities serverless affords, and to reimagine the way AppSec is done at the speed of serverless. For serverless cloud applications, there are several features of the solution that help make serverless applications far more secure, and compliant, than their serverful counterparts.

    • Strict IAM roles from development to runtime- Protego Proact automates the process of posture assurance at dev, CI/CD and production. For regulated industries with compliant requirements for applications, Protego ensures that all functions are running with least privilege while empowering developers to move as fast as they need to.
    • Continuous monitoring and active defense- Protego Defend provides a runtime defense solution that has been designed to seamlessly and automatically protect serverless functions, with nearly no overhead in function duration and function resource consumption. This means your IoT security doesn’t come at the cost of performance degradation.
    • Scalability and risk assessment- Protego’s solutions easily scale up and down as your applications do, all the while protecting your applications for known and unknown security risks, no matter what input and protocol you’re using.

Serverless and Compliance Use Case

Use Case: Serverless and Compliance

serverless and complianceeBook: Serverless and Compliance

Serverless and PCI ComplianceeBook: Serverless and PCI-DSS

See Demo