Serverless And The Evolution In Cloud Security, How FaaS Differs From IaaS

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on IaaS platforms such as AWS EC2 instances, the customer assumed responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the network firewalls in the cloud. With virtual instances, customers needed to carefully consider the services they choose as their responsibilities varied depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.

With the introduction of serverless computing (FaaS – Function as a Service), security responsibility shifted even more towards cloud providers and many tasks are now offloaded from customers, leaving customers to concentrate on their core business.

From a security point of view – serverless computing provides a dramatic boost in the level of security that can be achieved by relying on the expertise of cloud providers to secure the environment, and coupling that with a best of breed serverless security platform such as PureSec, which was developed from the ground up for securing serverless applications in a cloud-native manner.

list of security tasks

Offloading Security Responsibility

It’s quite common to hear people state that when adopting serverless architectures, organizations don’t have to deal with the security of the underlying platform. But how much benefit really hides under that blanket statement?  

Lets briefly enumerate the core security requirements and tasks that organizations need to handle in order to build and maintain secure applications. The items are listed bottom-up, starting with physical security and all the way up to the application layer.

  1. Physical infrastructure, access restrictions to physical perimeter and hardware
  2. Secure configuration of infrastructure devices and systems
  3. Regularly testing the security of all systems/processes (OS, services)
  4. Identification & authentication of access to systems (OS, services)
  5. Patching and fixing flaws in OS
  6. Hardening OS and services
  7. Protecting all systems against malware and backdoors
  8. Patching and fixing flaws in runtime environment and related software packages
  9. Exploit prevention & memory protection
  10. Network segmentation
  11. Tracking & monitoring all network resources and access
  12. Installation & maintenance of network firewalls
  13. Network-layer DoS protection
  14. Authentication of users
  15. Authorization controls when accessing application & data
  16. Log and maintain audit trails of all access to application & data
  17. Deploy an application layer firewall for event-data inspection
  18. Detect & fix vulnerabilities in 3rd party dependencies
  19. Use least-privileged IAM roles & permissions
  20. Enforce legitimate application behavior
  21. Data leak prevention
  22. Scan code & configurations statically during development
  23. Maintain serverless/cloud asset inventory
  24. Remove obsolete/unused cloud services & functions
  25. Continuously monitor errors & security incidents

Now lets see how these requirements and tasks were divided between the cloud provider and the customer, when using IaaS instances as the underlying platform for application development:

IaaS

CLOUD PROVIDER RESPONSIBILITY:

  1. Physical infrastructure, access restrictions to physical perimeter and hardware
  2. Secure configuration of infrastructure devices and systems

CUSTOMER RESPONSIBILITY:

  1. Regularly testing the security of all systems/processes (OS, services)
  2. Identification & authentication of access to systems (OS, services)
  3. Patching and fixing flaws in OS
  4. Hardening OS and services
  5. Protecting all systems against malware and backdoors
  6. Patching and fixing flaws in runtime environment and related software packages
  7. Exploit prevention & memory protection
  8. Network segmentation
  9. Tracking & monitoring all network resources and access
  10. Installation & maintenance of network firewalls
  11. Network-layer DoS protection
  12. Authentication of users
  13. Authorization controls when accessing application & data
  14. Log and maintain audit trails of all access to application & data
  15. Deploy an application layer firewall for event-data inspection
  16. Detect & fix vulnerabilities in 3rd party dependencies
  17. Use least-privileged IAM roles & permissions
  18. Enforce legitimate application behavior
  19. Data leak prevention
  20. Scan code & configurations statically during development
  21. Maintain serverless/cloud asset inventory
  22. Remove obsolete/unused cloud services & functions
  23. Continuously monitor errors & security incidents

Now, let’s see how these responsibilities are divided when developing applications on serverless architectures:

Serverless (FaaS)

CLOUD PROVIDER RESPONSIBILITY

  1. Physical infrastructure, access restrictions to physical perimeter and hardware
  2. Secure configuration of infrastructure devices and systems
  3. Regularly testing the security of all systems/processes (OS, services)
  4. Identification & authentication of access to systems (OS, services)
  5. Patching and fixing flaws in OS
  6. Hardening OS and services
  7. Protecting all systems against malware and backdoors
  8. Patching and fixing flaws in runtime environment and related software packages
  9. Exploit prevention & memory protection
  10. Network segmentation
  11. Tracking & monitoring all network resources and access
  12. Installation & maintenance of network firewalls
  13. Network-layer DoS protection

CUSTOMER RESPONSIBILITY

  1. Authentication of users
  2. Authorization controls when accessing application & data
  3. Log and maintain audit trails of all access to application & data
  4. Deploy an application layer firewall for event-data inspection
  5. Detect & fix vulnerabilities in 3rd party dependencies
  6. Use least-privileged IAM roles & permissions
  7. Enforce legitimate application behavior
  8. Data leak prevention
  9. Scan code & configurations statically during development
  10. Maintain serverless/cloud asset inventory
  11. Remove obsolete/unused cloud services & functions
  12. Continuously monitor errors & security incidents

ROUGH COMPARISON

Even though not all tasks and requirements were created equal, and some of these are obviously much more resource/budget intensive, we can still see the huge benefits to security posture for organizations that adopt serverless. 

When developing applications on IaaS, the security responsibilities were roughly divided as following:

IaaS-1

For serverless, things are quite different:

FaaS

Bottom line – here is yet another very important reason to go serverless, Let someone else be responsible for the majority of mundane security tasks, and stay focused on developing and securing your core business logic. 



*** This is a Security Bloggers Network syndicated blog from PureSec Blog (Launch) authored by Ory Segal, PureSec CTO. Read the original post at: https://www.puresec.io/blog/serverless-and-the-evolution-in-cloud-security