Securing serverless computing, the latest cloud paradigm [Q&A]
The cloud-skills shortage has made security a major challenge for enterprises. In fact, virtually every data breach in the cloud today is due to human error, rather than brilliant hacking. Hackers don't even bother launching attacks in the public cloud; they simply look for misconfigured systems that leave data exposed.
Against this backdrop, a whole new cloud model is taking hold -- serverless computing. In a world where cloud certifications and security skills are already in short supply and causing chaos in the cloud, what will serverless computing do to compound that problem for enterprises? Is it possible for organizations to avoid making the same mistakes with this new paradigm that they are making in traditional cloud environments?
To shed some light on this issue, we spoke with Joe Vadakkan, cloud security leader at Optiv Security, the world's largest security solutions integrator.
BN: What is serverless computing?
JV: Serverless computing, or Function-as-a-Service (FaaS), is a cloud computing model that enables developers to deploy and run individual code functions rather than having to deploy entire applications. Services such as AWS Lambda and Microsoft Azure Functions, which are rapidly growing in popularity, offer FaaS platforms that make serverless computing and true utility computing a reality by allowing developers to deploy code functions in the cloud, rather than entire applications, and only pay for the exact resource usage of those functions in a completely automated environment, rather than pre-paying for capacity to run entire applications that require human management. So, instead of deploying an application in a discrete virtual machine, developers deploy their application functionality directly onto a FaaS platform, and all the underlying traditional server capabilities (computes, memory, backup, storage, etc.) are abstracted out and taken care of by the cloud provider.
This model provides a number of benefits to developers, including reduced security overhead, cost-savings, increased productivity and auto-scaling, which is why we're seeing an uptick in adoption of this new cloud paradigm.
BN: How is it different from traditional cloud computing?
JV: Serverless computing is a type of cloud computing, but there are two major differences between the two models that are important to note. First, serverless computing automates security and database management tasks, such as patching, storage and backup, that, in a traditional cloud environment, end users are responsible for managing manually.
The second major difference between the two computing models is in the division of responsibilities between the cloud provider and the application owner. In a traditional cloud environment, end users are responsible for securing operating systems, applications and data. With serverless computing, more of the responsibility for securing the underlying platform is offloaded to the cloud provider, so developers really only need to focus on securing the data and the code layer.
BN: Organizations continue to face cloud security challenges, and now serverless computing is in the picture. What makes it difficult to secure these environments?
JV: First, the good news. Because, in a serverless environment, the onus of securing the underlying infrastructure is delegated to the cloud provider rather than the end user, developers can rely on the cloud provider’s security expertise, rather than trying to become experts themselves. This should help improve organizations’ security postures, while freeing developers to focus on what they do best: writing and deploying code.
That said, serverless environments come with their own share of security challenges. Chief among them is developers deploying code in FaaS environments without even consulting their security organizations, which opens the door to significant risk from code-injection/modification attacks and the like. For example, a bad actor could alter code or a program flow to say, 'instead of doing X, do Y' (think changing IoT telemetry signals in the injection), which explodes the attack surface.
User and function access are also major concerns. If users and functions have more access than is necessary, the damage following an attack will be far worse than if the proper access controls were enforced.
BN: How can enterprises go about developing sound strategies for securing serverless environments?
JV: First and foremost, organizations need to prioritize security at the start of any serverless business initiatives, rather than leaving it as an afterthought. We're starting to see more organizations take this approach with a DevSecOps model.
Other important elements of a secure serverless environment include:
- Encryption -- It's not uncommon to see organizations storing 'secret' information, such as API keys, passwords and configuration settings, in plain text. In today’s sophisticated threat landscape, this is no longer acceptable. Security teams must ensure keys in functions are handled properly in other ways such as KMS functionality, parameter stores and lambda handlers. They must also ensure all data -- both at rest and in transit -- is encrypted.
- Identity and access management (IAM) -- Too often developers have more access than they need to build, deploy and modify code, and functions have universal access to all 'secrets' and resources from all environments. Security teams must identify who’s developing code and functions, and then implement the right access controls. Follow the principle of least-privileged access, which gives users only the access rights they need to successfully perform their jobs and functions only the privileges required to complete the intended logic. IAM is one of the most effective ways to segment resources and limit exposure in the event of an attack.
- Security at the code level -- With serverless computing, the potential attack targets aren’t at the server level anymore; they're at the code level. Given this, security teams must integrate security controls into the application code itself to prevent code-injection attacks and other means of exploitation.
- Real-time monitoring and logging solutions -- Some serverless computing vendors do provide logging capabilities, but, often, they're not robust enough to provide complete security and audit monitoring. Deploying solutions that aggregate logs from various serverless functions and cloud services and then send them to a security information and event management (SIEM) system, can be very impactful when it comes to threat detection and incident response.
Most importantly, organizations must take the time to identify and learn from the mistakes they made when attempting to secure cloud environments, so they don't repeat them in the serverless world.