We’re pleased to share our first podcast, “The Serverless Show.”
In addition to the below summarized article and above video, you can listen on SoundCloud.
From Protego Labs, we had Hillel Solow, CTO and Co-Founder, along with Tal Melamed, Head of Security Research, joined by our guest Wayne Scarano, Founder, Cloud/Cybersecurity Architect, SGA Business Systems, Inc. SGA are independent advisors and consultants for cloud strategy, architecture, research, security, Proof of Concept (PoC), implementation, and automation. SGA helps you migrate to the cloud and build secure cloud native applications.
Kicking things off, Wayne described how serverless is solving many problems, and the two approaches he has seen. “Virtually every company that is in the cloud in some way is using serverless, whether it’s on the forefront or shadow IT. They’re finding it’s filling the gaps faster and cheaper versus building infrastructure.
“For example, an organization may need to see and understand what’s happening with identity and access management, but lack a third-party product to fill that gap. We can write some Lambda functions so we can interrogate, see what’s happening, and give us some alarms. These things are happening throughout all cloud services in the ecosystem. Serverless is filling in the gaps.
“On the other side, we have companies that are going cloud native. They’re either writing brand new applications from scratch that fit the serverless model, or they’re taking existing apps and re-writing.”
When asked about the drivers for the move to serverless, Wayne stated, “I view serverless as ‘Cloud 2.0.’ It is the next-generational shift of responsibilities from the customer to the cloud provider. infrastructure as a service has been the heart of a lot of the solutions going on in the cloud. There’s been a lot of energy expended to create this IaaS and security plays a big role in that area too.
“Once we have the compute replacing IaaS… it fulfills the promise of services-oriented architecture. Now we have a new mindset when we’re thinking of serverless. We have a computer in the cloud, a computer in the sky. We have the compute, networking, security, storage, we have everything we need to program the cloud . So that takes a different mindset. Because we have done more abstraction, things are getting done faster and cheaper, if it’s done correctly. It’s not a silver bullet, as we’ll mentioned several times, and there are caveats.”
Tal stated, “The cloud providers give us some of their experience in security, by providing security features and services like key management. But the problem is we still run code. If the code is vulnerable, then our serverless application will also be vulnerable. The biggest issue here to understand is that the perimeter is basically gone. Not per se, but we can’t rely on one entry point to the application because serverless functions can be triggered by various event types, which makes it a little more complex. Companies need to understand what they’re dealing with now, and where they should put their security.”
Hillel added that when people move to serverless, they may have a lack of visibility, including functions they can’t track. Figuring out the best way to protect an app when the perimeter erodes is also a challenge.
The group next discussed a recent article in The Register, “AWS Won Serverless – Now All Your Software are Kinda Belong to Them.” Hillel stated that AWS got into serverless early with Lambda, and helped pave the way for what serverless is, although there are other cloud providers.
Wayne is currently lead organizer for Serverless Boston and Serverless New York City. The meet-ups are cloud-agnostic, and have included all the major cloud providers including Oracle coming up in July to both cities.
In considering the question, ‘What is lock-in?’ Wayne stated that it’s the same story as twenty years ago. Everything should be taken back to the needs of the business. Why are we driving these solutions? Does this company meet our needs? If yes, then let’s move forward. The needs of the business should be the primary concern, less than worrying about getting locked in.
Wayne continued by asking, “On the other hand, are you really locked in? You are accessing services, some more custom than others, but you own your functions and you own your data. The functions will be easier to take out, and we can give a hello to Serverless.com and those type of companies that enable you to write once and run it on many clouds.
“But if you made a decision, for example, to use DynamoDB and you want to move to CosmoDB or some other DB, you’re going to have to go through that pain of conversion. While you own the functions and the data, you do own the pain if you export, because you pay for data out of the cloud. The cloud has a center of gravity that pulls you in. Data is free to come in and they want to bring you in, which is their job.”
“First gigabyte’s free. I got you,” quipped Hillel in response.
Hillel asked if organizations are combining services across multiple cloud providers for a best of breed solution, although this can lead to some latency issues and data charges.
Wayne replied, “I don’t see a lot of that, but I do see the future being inter-cloud, where we have a services mindset. We’re thinking of services as code. We’re shifting from IaaS, and we’ll pick the best service at the best prices for the best location, regardless of cloud provider, and it may not even be a cloud provider.”
But will people gravitate towards the cloud provider that provides the best security?
Tal said, “Security always comes last after user experience, usability, and price, but it will get there eventually. Then the provider that will bring the best security features could gain points for that.”
Hillel added, “In moving to the cloud, you’ve ceded control of the stack to the cloud provider. You’re left with the configuration and application code, and if you can’t get security out of those two things, you can’t get security. The more configuration for security you can get out of a cloud provider, the more attractive that cloud provider is going to be.”
Next, the group discussed some recent statements from Oracle and CNCF regarding serverless standardization. Wayne said “Standardization is great. That’s going to help realize the promise of intercloud. Serverless.com is building event gateways. They’re going to be standardizing events outside of clouds or within the cloud of your choice, so you can manage events across several services or even cloud providers. So, I think it’s all a good thing.
“Again, the cloud providers’ job is to pull the customers in. You’re fighting the gravity of all the clouds pulling you in. Event gateways and standardization will counteract that gravity.”
Hillel explained that a primary impediment to being cloud-agnostic, is less the events, and more the other resources we’re locked into, such as DynamoDB. Wayne replied that businesses must conduct due diligence up front to decide, based on the business needs, and with traceability to know why you made those decisions. Tal added that standardizing reduces surprises and make security more accessible.
When making the shift to serverless, what do people need to be focusing on in terms of security?
Wayne said, “Start from the top, which is risk management. You are shifting more responsibility, so what are the risks and threats? Where are we going to be in one to two months? How are microservices going to grow? How are we going to protect and test? Services and infrastructure as code, is going to be growing. So, we’ll be configuring and accessing these services. When we start running functions from a low velocity perspective, you’re able to get some visibility, but as that increases, we’re losing visibility. Are we also losing management of the functions? So – planning, planning, planning – just like anything else. Security should be baked in as part of the thought process.”
Tal explained, “People need to understand that serverless should be approached differently. WAF is not enough here. We need to look into some of the serverless attributes here which will concern our application.
“A few things developers can do to quickly help security are to first review. As we use more open source code, and we need to look into that, because sometimes it comes with backdoors or insecure code. Also, I see that developers tend to give high time-outs for function, because they’re not paying for that, so, why not? Reducing that can help.
“We’ve tested hundreds of thousands of functions and more than ninety percent have excessive permission and configuration issues. By resolving this, you’ll cover a high proportion of security risks in your application. Permission by itself might not be a problem, but when combined with other vulnerabilities it could result in severe impacts to the application.”
Hillel elaborated, “One of the points we like to make is that this has always been true, but it’s much truer with serverless because of the fine-grained nature of serverless architectures. Serverless architectures tend to have smaller functions that are more single purpose. And it means the opportunity to configure those permissions correctly. It’s obviously challenging to do if you’ve got one thousand functions in your organization, but if you get it right, you’re getting a lot more security than you might have in the past with larger containers that genuinely needed a lot of things, and it’s harder to shrink down those permissions.”
Hillel’s favorite tweet may not be one of the funniest, but it’s one of the more insightful ones.
Serverless is every product architecture diagram you’ve ever drawn. Cause nobody is squiggling EC2 instances on a whiteboard when talking about business logic.
— Asim Aslam (@chuhnk) May 23, 2018
“I like the way that captures what Wayne said earlier about we can now build our software in the cloud and stop thinking about machines. I liked the analogy of how our kids have no idea why the ‘save’ icon looks like a floppy disk. They have no idea what a floppy disk is. It’s a remnant of some old piece of technology. In the same way, packaging our software in the shape of containers and VMs is a remnant of the way we used to deploy software. So, I liked this notion that serverless matches our architectures better and lets us get work done the way we want to get it done.”
Hang on a sec, is serverless just a fancy name for cgi-bin?
— Pete Hodgson (@ph1) May 27, 2018
Tal shared the next tweet, and said, “Two years ago, Ben Schwartz said that serverless is basically cgi-bin script where you deploy in a really awkward manner. I saw one comment I particularly liked that called serverless, “Evil as a Service.”
Hillel added, “I like the notion of cgi-bin as a precursor to serverless. Maybe there are no new ideas, just new implementations. But I think we’re still getting more out of serverless than we ever did out of cgi-bin.”
Wayne commented on Steve Faulkner, who used to be at Bustle and created the shep Framework for Node. Today, Steve says he wouldn’t necessarily use the Shep framework because AWS has come a long way with infrastructure or services as code. I think serverless is moving fast and the cloud providers are in competition, and that competition is causing them to move faster and faster. So, there are a lot of gaps, and the gaps are being filled by companies such as Protego Labs in terms of security.
Additionally, Azure is building an event grid, and there are also durable cloud functions. The idea of state, which we don’t typically have state with serverless.
Please send us your feedback and suggestions. Would you like to be a guest on the podcast and share your insights on serverless? Please email me.