Serverless has seen a surge in use in 2018. During the fourth quarter of 2017, serverless saw a 667% growth in adoption. Developers love it because it allows them to focus on writing code, and operations teams love it because it reduces their time spent maintaining environments. And now that providers are responsible for managing environment security, software updates, and patches, serverless has the potential to become the most secure cloud computing architecture.
However, this doesn't mean serverless applications are completely secure. Enterprises are still responsible for securing the application layer, but the architectural difference between traditional applications and serverless applications makes traditional security tools and best practices unsuitable. In order to achieve a high level of security, enterprises need to understand these differences and use tools that will protect against serverless-specific threats. In this article, we look at 4 reasons why CISOs need to plan for serverless security.
1. Serverless Platforms Are Secure, But Your Applications Aren’t
A key benefit of serverless computing is that it shifts the responsibility of maintaining servers to a FaaS provider. This includes maintaining the operating system, updating software, and installing patches. However, their security responsibilities end at the function. While developers won't necessarily have to worry about traditional server threats, they do need to be concerned about threats targeting their applications. To protect against application-level threats, it's the responsibility of DevSecOps teams to create secure code, leverage serverless platform tools, and follow best practices such as the OWASP Top 10.
To achieve a high level of security, developers and DevOps teams need to adapt to tools and best practices unique to serverless. The architectural differences between traditional applications and serverless applications make many traditional security practices obsolete. Teams need to understand these differences and adopt tools that will protect against serverless-specific threats.
2. Best Practices Aren't Enough When it Comes to Serverless
While some security best practices have arisen for serverless architectures, most of our existing best practices assume that developers and DevSecOps teams have control over the underlying environment. While this may be true for bare metal, virtualized, and even containerized applications, it's not true for serverless applications. FaaS providers expose a limited number of environment options, and while this allows them to secure the environment more effectively, it also prevents cyber security teams from hardening the OS, securing the application's runtime environment, or taking any other actions that are considered best practice.
To truly secure serverless applications, DevSecOps teams will need to work within the boundaries created by FaaS providers. This involves adapting the current understanding of security to the serverless architecture and using tools designed specifically for securing serverless applications.
3. The Application Layer is Left Exposed
In architectures where developers and DevSecOps teams have control over the environment, they can run their applications behind additional layers of security. Functionality that was once hidden behind a gateway or firewall may now be accessible to the public, forcing developers and DevOps teams to secure each individual function rather than the application as a whole. Alternatively, teams can enclose functions within a Virtual Private Cloud (VPC), but this requires additional planning and can add significant performance penalties.
According to Tom McLaughlin, CEO of ServerlessOps, "with serverless, the amount of surface area you're responsible for has decreased. At the same time, your perimeter has become lessaged. What you should be doing is auditing the configuration and exposure of your cloud resources." This means not only securing your functions, but also the resources they communicate with.
4. Security Improves Visibility and Control
The serverless architecture abstracts away the underlying infrastructure from developers, leaving them with a limited ability to understand what's happening in their applications. Data transmitted between functions can offer valuable insights into application performance and behavior, but collecting it can be a challenge.
Implementing a security plan is a perfect opportunity to intercept this data in order to identify usage patterns and trends, scan for potential weaknesses, and detect anomalies. In turn, this will help your teams strengthen the security of the overall application and regain some control over the environment.
2019 is going to be an important year for serverless. With more organizations deploying serverless workloads and hosting their applications with FaaS providers,the need to plan and bake security into serverless architectures increases. Get a head start by securing your serverless functions today.