What Is Serverless Computing?
A serverless architecture allows users to write and deploy code without worrying about the infrastructure. Companies using backend services from serverless providers are billed according to the number of times their code, broken down into functional units called “serverless functions”, is executed. These services scale automatically so you don’t have to reserve and pay for a fixed bandwidth or certain number of servers.
Serverless still uses servers, but developers don’t need to be aware of the server, or have any interaction with it. Serverless systems typically connect to databases - commonly managed services like Amazon Aurora or DynamoDB, so they can scale dynamically together with the serverless application.
Serverless goes one step beyond a cloud infrastructure model, which provides automated scalability, but requires the user to manage this scalability and manage the virtual machines running on the cloud resources. Serverless computing allows you to purchase backend services on a true “pay-as-you-go” basis, meaning you only pay for actual usage of your application.
What is Serverless Security?
Serverless security requires a paradigm shift in application security. Rather than relying on next-generation firewalls to build security on the application itself, organizations need to build security for the functionality of their applications, hosted by third-party cloud providers.
This additional layer of security must ensure hardening of applications, and access control based on the least privilege principle, so each serverless function does exactly what it was meant to do, no more and no less. There are several serverless security vendors, each providing unique solutions.
Challenges of Serverless Security
Designing a serverless architecture and application security solution is difficult, for a number of reasons:
- Expanded attack surface - serverless capabilities can communicate with HTTP APIs, cloud storage, IoT devices, and more. Also, some message structures are invisible to standard Web Application Firewalls (WAF).
- Monitoring tools can’t see serverless - serverless applications are partially or entirely invisible to traditional monitoring tools, especially if the serverless application uses an interface other than HTTP.
- Traditional security tools are ineffective - many traditional security tools, like antivirus, endpoint protection and intrusion protection systems (IPS) are based on hosts. In serverless environments the host is not known and there is no way to directly secure virtual machines or operating systems.
- Special requirements - in a serverless architecture, there is a need to inspect cloud API calls, which cannot be done by traditional WAF or IPS. Serverless functions can be run by multiple types of events, each of which has a unique format. Cloud native application triggers may be invisible to application security tools, because they are unfamiliar with the data format, or because they cannot be deployed inline between the triggering service and the serverless function.
Serverless Security Best Practices
Stay Up to Date
Even though serverless is a hosted infrastructure, you are still responsible for ensuring the security of the application itself. One of the most effective ways to ensure application security is keeping all components up to date. Check if you are using third-party software that has known vulnerabilities and needs to be patched.
One thing that is often forgotten when updating software is that you also need to identify and update component dependencies, especially if your application uses open source components. One component may have a large tree of dependencies, each of which might contain a vulnerability, and can threaten the security of the entire application. Automated tools can help you identify all open source components, their dependencies, and existing vulnerabilities.
Upgrading software components typically requires a development effort. There are automated tools that can help you auto-apply a patch to close a specific security vulnerability, without having an effect on the rest of the system.
Watch the Logs
When you start using serverless infrastructure, the environment becomes noisy and changes much faster. The large number of requests sent with a serverless architecture means that you can miss a function that has a vulnerability or is experiencing security incidents.
The first step in tackling this issue is to use log analysis, to identify anomalies in your logs across large scale serverless applications. As a second step, consider using one of several new serverless monitoring tools that can provide in-depth insights into security issues and bugs in serverless components.
Adopt the Principle of Least Privilege
A serverless function represents a small piece of functionality, so it is easy to minimize the set of permissions assigned to each function, using the principle of least privilege. Make sure you only allow a function to access something if it is essential for it to operate correctly. Just this simple measure can dramatically reduce the attack surface.
For example, many functions do not require access to a database or any external server. In this case, isolate them from external communications, preventing attackers from accessing them or using them to escalate privileges or communicate with their home base, after compromising part of your serverless application.
Employ API Gateways as a Security Buffer
Serverless functions are typically publicly accessible through randomly generated HTTP endpoints. They use these endpoints to receive data and handle events. A good way to expose a function is via an API gateway, which acts as a reverse proxy and provides separation between users and serverless functions.
An API Gateway, essentially a front-end API interface for consumers of the serverless app, provides multiple security mechanisms that can help reduce the attack surface.
This article discussed the serverless computing architecture, and a few of the unique security challenges it introduces, including an expanded attack surface and the difficulty of monitoring serverless applications with traditional tools. The article provided several best practices that can help improve serverless security:
- Keeping application components up to date
- Log collection and analysis
- Using the principle of least privilege
- Using API gateways
Hopefully, this will be a great start to securing your serverless applications.
Author Bio: Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
One thought on “Serverless Security: Are You Getting it Right?”