Home » Security Bloggers Network » Serverless And The Evolution In Cloud Security, How FaaS Differs From IaaS
Serverless And The Evolution In Cloud Security, How FaaS Differs From IaaS
Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.
Up until recently, when deploying applications on IaaS platforms such as AWS EC2 instances, the customer assumed responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the network firewalls in the cloud. With virtual instances, customers needed to carefully consider the services they choose as their responsibilities varied depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.
With the introduction of serverless computing (FaaS – Function as a Service), security responsibility shifted even more towards cloud providers and many tasks are now offloaded from customers, leaving customers to concentrate on their core business.
From a security point of view – serverless computing provides a dramatic boost in the level of security that can be achieved by relying on the expertise of cloud providers to secure the environment, and coupling that with a best of breed serverless security platform such as PureSec, which was developed from the ground up for securing serverless applications in a cloud-native manner.
Offloading Security Responsibility
It’s quite common to hear people state that when adopting serverless architectures, organizations don’t have to deal with the security of the underlying platform. But how much benefit really hides under that blanket statement?
Lets briefly enumerate the core security requirements and tasks that organizations need to handle in order to build and maintain secure applications. The items are listed bottom-up, starting with physical security and all the way up to the application layer.
- Physical infrastructure, access restrictions to physical perimeter and hardware
- Secure configuration of infrastructure devices and systems
- Regularly testing the security of all systems/processes (OS, services)
- Identification & authentication of access to systems (OS, services)
- Patching and fixing flaws in OS
- Hardening OS and services
- Protecting all systems against malware and backdoors
- Patching and fixing flaws in runtime environment and related software packages
- Exploit prevention & memory protection
- Network segmentation
- Tracking & monitoring all network resources and access
- Installation & maintenance of network firewalls
- Network-layer DoS protection
- Authentication of users
- Authorization controls when accessing application & data
- Log and maintain audit trails of all access to application & data
- Deploy an application layer firewall for event-data inspection
- Detect & fix vulnerabilities in 3rd party dependencies
- Use least-privileged IAM roles & permissions
- Enforce legitimate application behavior
- Data leak prevention
- Scan code & configurations statically during development
- Maintain serverless/cloud asset inventory
- Remove obsolete/unused cloud services & functions
- Continuously monitor errors & security incidents
Now lets see how these requirements and tasks were divided between the cloud provider and the customer, when using IaaS instances as the underlying platform for application development:
IaaS
CLOUD PROVIDER RESPONSIBILITY:
- Physical infrastructure, access restrictions to physical perimeter and hardware
- Secure configuration of infrastructure devices and systems
CUSTOMER RESPONSIBILITY:
- Regularly testing the security of all systems/processes (OS, services)
- Identification & authentication of access to systems (OS, services)
- Patching and fixing flaws in OS
- Hardening OS and services
- Protecting all systems against malware and backdoors
- Patching and fixing flaws in runtime environment and related software packages
- Exploit prevention & memory protection
- Network segmentation
- Tracking & monitoring all network resources and access
- Installation & maintenance of network firewalls
- Network-layer DoS protection
- Authentication of users
- Authorization controls when accessing application & data
- Log and maintain audit trails of all access to application & data
- Deploy an application layer firewall for event-data inspection
- Detect & fix vulnerabilities in 3rd party dependencies
- Use least-privileged IAM roles & permissions
- Enforce legitimate application behavior
- Data leak prevention
- Scan code & configurations statically during development
- Maintain serverless/cloud asset inventory
- Remove obsolete/unused cloud services & functions
- Continuously monitor errors & security incidents
Now, let’s see how these responsibilities are divided when developing applications on serverless architectures:
Serverless (FaaS)
CLOUD PROVIDER RESPONSIBILITY
- Physical infrastructure, access restrictions to physical perimeter and hardware
- Secure configuration of infrastructure devices and systems
- Regularly testing the security of all systems/processes (OS, services)
- Identification & authentication of access to systems (OS, services)
- Patching and fixing flaws in OS
- Hardening OS and services
- Protecting all systems against malware and backdoors
- Patching and fixing flaws in runtime environment and related software packages
- Exploit prevention & memory protection
- Network segmentation
- Tracking & monitoring all network resources and access
- Installation & maintenance of network firewalls
- Network-layer DoS protection
CUSTOMER RESPONSIBILITY
- Authentication of users
- Authorization controls when accessing application & data
- Log and maintain audit trails of all access to application & data
- Deploy an application layer firewall for event-data inspection
- Detect & fix vulnerabilities in 3rd party dependencies
- Use least-privileged IAM roles & permissions
- Enforce legitimate application behavior
- Data leak prevention
- Scan code & configurations statically during development
- Maintain serverless/cloud asset inventory
- Remove obsolete/unused cloud services & functions
- Continuously monitor errors & security incidents
ROUGH COMPARISON
Even though not all tasks and requirements were created equal, and some of these are obviously much more resource/budget intensive, we can still see the huge benefits to security posture for organizations that adopt serverless.
When developing applications on IaaS, the security responsibilities were roughly divided as following:
For serverless, things are quite different:
Bottom line – here is yet another very important reason to go serverless, Let someone else be responsible for the majority of mundane security tasks, and stay focused on developing and securing your core business logic.
*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/serverless-and-the-evolution-in-cloud-security