Are compliance-driven applications off the table when it comes to serverless? Should applications that deal with credit card transactions, health care platforms, and other highly regulated areas consider serverless and cloud-native at all? To answer this question and more, we got Hillel Solow, CTO & Co-Founder here at Protego, and Ryan Jones, CEO of Serverless Guru, to discuss all the latest topics in cloud-native and serverless.
Ryan believes that compliance-driven organizations are trying to move to serverless, although it presents new security challenges they might not be familiar with. Running an agent on a server and having very hardened traditional security practices can no longer work in a serverless environment. Since this paradigm shift in security approach requires a lot of thought, it might interfere with the main reason as to why move to serverless to begin with – deployment speed.
Hillel thinks that properly configured and secured serverless applications are far more secure than their counterparts, but it definitely requires the right solution. As the CTO of Protego, Hillel explains how the company’s code-centric security solution was made to solve exactly that. As Protego’s backend is built on serverless, it allowed to stand up an instance of the system inside compliance-driven client’s accounts which would have been harder in the past in terms of monitoring, scaling and dealing with a lot of different resources in the account. With an application build on API gateway, Lambda, DynamoDB, SQS and others, Protego was able to drop instances to the client’s account really fast.
From Hillel’s experience, the biggest security challenges compliance customers experience in serverless is the lack of visibility and control. Since serverless enables their teams to move really fast, deploy fast and make rapid changes, all with very little cost, visibility and control are usually lost in the midst of it all. The ability to view and identify risks before it’s too late is really a top priority for security teams.
Hillel continues to say that with the challenges, new security opportunities arise in serverless, allowing teams to apply much more granular configurations like IAM roles and security policies than in the past. It does, however, require much more manual work, and this is where companies really need to get their automation nailed down. That’s something Protego excels in, and really changes the game when it comes to accurate, automated security. As a lot of operational concerns disappear in serverless, security becomes the main concern, and that allows for a greater effort on this front.
The concept of ‘zero trust’ is not new, but it is new to cloud-native and serverless. Hillel explains that with the move to cloud-native, organizations need to shift their thinking from WAFs and big walled perimeters and start thinking about the little pieces that can be triggered in all sorts of different ways, with all sorts of third party services.
The zero trust model in this environment needs to adopt an approach of ‘every interaction is a suspect’ and ‘every two resources talking to each other need behavioral validation’. Ryan adds that with the right automated security solution, you can make sure policies are narrowed down to the smallest focus possible. The zero trust model in this instance is really ‘let people do things, validate those things, validate the things that are validating those things, and then still worry at runtime for those things you thought were validated’.
Since there is no real way to just put a border around everything when it comes to serverless applications, companies need to be really careful before implementing serverless and using services like public S3 buckets, or even private S3 buckets but with a public API Gateway in play. In this instance, one may not be able to access that private S3 bucket, but they may be able to access it through the cloud front. In this instance, making sure there’s a single entry to the resource is crucial. Hillel adds that the ease with which one can enable interactions like public buckets is really the Achilles heel in cloud-native and serverless security, and for that requires a code-centric, automated security solution in place.