It’s a new season, everyone is full of hope and optimism that this will be their year- that they will end the playoff season as the World Champions. Yes, this is the goal for any team in Major League Baseball as the first pitch is thrown across home plate on Opening Day, but the same holds true for any project undergone by an organization.
You wake up hopeful and excited that you have a critical project for your organization, one that will save thousands, if not more, in infrastructure fees, hours of ops management, and allows applications to go into production quickly. You want to end the game top of the nine. Serverless environments allow all of these things to happen. Deploying serverless apps and adopting a Function-as-a-Service (FaaS) approach already put you in an All-Star League. However, if you don’t have the key players, or tools in your projects starting lineup, you may fall short on a few runs.
To get your serverless project executed flawlessly and realize all of the benefits, you need to make sure your pitcher and catcher are tightly aligned. In the world of serverless, these players are your developers and security architects. Sure, they may have handled cloud migration projects with ease in the past, ensuring that all of the compliance and policy requirements were checked on the scorecard. However, if they are developing serverless apps with the same security mentality as virtually controlled applications, there will be more errors than desired and your season will sadly end under .500.
You see, serverless applications require a change in your application teams’ approach to the game. Unlike traditional cloud hosted applications where code is triggered by requests coming from the API Gateway, serverless changes how those applications components are triggered. Think of it this way, traditionally, the pitcher throws the ball, a batter makes a hit, the catcher is ready to quickly respond, and the outfield calls out who’s got it. Instead, there are now multiple balls pitched, requiring the catcher to be on their A-game reacting to each one, while the outfielders and basemen need to know where to go, how to respond, and which ones to catch. Without a shift in the controls to ensure that things are systematic, organized, and secured, complete chaos will result and unauthorized plays will put your game in jeopardy.
Everyone must know their role and rules; everyone must be authorized; and there needs to be trust in the team. Serverless changes the game but it doesn’t change the goal for security. Instead of looking at serverless security as application-centric, you need to look at it as code-centric. You have to change up your pitching style and catchers response in order to stay current and win. Your providers supply you with some tools but you need to know what other layers to implement to not only secure, but enforce, that an application only does what it is set-out to do, by authorized parties, and will not become vulnerable to attack vectors.
Serverless application security needs to include security around the actual code. Each players’ moves and interactions must be understood so change-ups can be flagged and defended automatically. But it doesn’t stop there, in order to truly win, you need constant visibility of what is happening during the game, you need to gain intelligence, then strategize to minimize threats, and then use that intelligence to actively defend your game to come out the victors.