Serverless And The Evolution In Cloud Security, How FaaS Differs From IaaS

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on IaaS platforms such as AWS EC2 instances, the customer assumed responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the network firewalls in the cloud. With virtual instances, customers needed to carefully consider the services they choose as their responsibilities varied depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.

With the introduction of serverless computing (FaaS – Function as a Service), security responsibility shifted even more towards cloud providers and many tasks are now offloaded from customers, leaving customers to concentrate on their core business.

Sponsorships Available

Sponsorships Available

Sponsorships Available

From a security point of view – serverless computing provides a dramatic boost in the level of security that can be achieved by relying on the expertise of cloud providers to secure the environment, and coupling that with a best of breed serverless security platform such as PureSec, which was developed from the ground up for securing serverless applications in a cloud-native manner.

Offloading Security Responsibility

It’s quite common to hear people state that when adopting serverless architectures, organizations don’t have to deal with the security of the underlying platform. But how much benefit really hides under that blanket statement?  

Lets briefly enumerate the core security requirements and tasks that organizations need to handle in order to build and maintain secure applications. The items are listed bottom-up, starting with physical security and all the way up to the application layer.

1. Physical infrastructure, access restrictions to physical perimeter and hardware
2. Secure configuration of infrastructure devices and systems
3. Regularly testing the security of all systems/processes (OS, services)
4. Identification & authentication of access to systems (OS, services)
5. Patching and fixing flaws in OS
6. Hardening OS and services
7. Protecting all systems against malware and backdoors
8. Patching and fixing flaws in runtime environment and related software packages
9. Exploit prevention & memory protection
10. Network segmentation
11. Tracking & monitoring all network resources and access
12. Installation & maintenance of network firewalls
13. Network-layer DoS protection
14. Authentication of users
15. Authorization controls when accessing application & data
16. Log and maintain audit trails of all access to application & data
17. Deploy an application layer firewall for event-data inspection
18. Detect & fix vulnerabilities in 3rd party dependencies
19. Use least-privileged IAM roles & permissions
20. Enforce legitimate application behavior
21. Data leak prevention
22. Scan code & configurations statically during development
23. Maintain serverless/cloud asset inventory
24. Remove obsolete/unused cloud services & functions
25. Continuously monitor errors & security incidents

Now lets see how these requirements and tasks were divided between the cloud provider and the customer, when using IaaS instances as the underlying platform for application development:

IaaS

CLOUD PROVIDER RESPONSIBILITY:

1. Physical infrastructure, access restrictions to physical perimeter and hardware
2. Secure configuration of infrastructure devices and systems

CUSTOMER RESPONSIBILITY:

3. Regularly testing the security of all systems/processes (OS, services)
4. Identification & authentication of access to systems (OS, services)
5. Patching and fixing flaws in OS
6. Hardening OS and services
7. Protecting all systems against malware and backdoors
8. Patching and fixing flaws in runtime environment and related software packages
9. Exploit prevention & memory protection
10. Network segmentation
11. Tracking & monitoring all network resources and access
12. Installation & maintenance of network firewalls
13. Network-layer DoS protection
14. Authentication of users
15. Authorization controls when accessing application & data
16. Log and maintain audit trails of all access to application & data
17. Deploy an application layer firewall for event-data inspection
18. Detect & fix vulnerabilities in 3rd party dependencies
19. Use least-privileged IAM roles & permissions
20. Enforce legitimate application behavior
21. Data leak prevention
22. Scan code & configurations statically during development
23. Maintain serverless/cloud asset inventory
24. Remove obsolete/unused cloud services & functions
25. Continuously monitor errors & security incidents

Now, let’s see how these responsibilities are divided when developing applications on serverless architectures:

Serverless (FaaS)

CLOUD PROVIDER RESPONSIBILITY

1. Physical infrastructure, access restrictions to physical perimeter and hardware
2. Secure configuration of infrastructure devices and systems
3. Regularly testing the security of all systems/processes (OS, services)
4. Identification & authentication of access to systems (OS, services)
5. Patching and fixing flaws in OS
6. Hardening OS and services
7. Protecting all systems against malware and backdoors
8. Patching and fixing flaws in runtime environment and related software packages
9. Exploit prevention & memory protection
10. Network segmentation
11. Tracking & monitoring all network resources and access
12. Installation & maintenance of network firewalls
13. Network-layer DoS protection

CUSTOMER RESPONSIBILITY

14. Authentication of users
15. Authorization controls when accessing application & data
16. Log and maintain audit trails of all access to application & data
17. Deploy an application layer firewall for event-data inspection
18. Detect & fix vulnerabilities in 3rd party dependencies
19. Use least-privileged IAM roles & permissions
20. Enforce legitimate application behavior
21. Data leak prevention
22. Scan code & configurations statically during development
23. Maintain serverless/cloud asset inventory
24. Remove obsolete/unused cloud services & functions
25. Continuously monitor errors & security incidents

ROUGH COMPARISON

Even though not all tasks and requirements were created equal, and some of these are obviously much more resource/budget intensive, we can still see the huge benefits to security posture for organizations that adopt serverless. 

When developing applications on IaaS, the security responsibilities were roughly divided as following:

For serverless, things are quite different:

Bottom line – here is yet another very important reason to go serverless, Let someone else be responsible for the majority of mundane security tasks, and stay focused on developing and securing your core business logic.