‘Function-as-a-service’ or serverless computing is a boon to several enterprises, simplifying the process of code development and deployment while enhancing server resource utilization and curtailing security overhead. Cloud providers are on their guard, heading toe-to-toe with security concerns, and as they identify and patch OS vulnerabilities, new attack surfaces are buoyed by new components. The term serverless computing is a controversy in itself and there is no clear definition to it, although being the latest trend in the industry.
While serverless designs are going mainstream in light of their undeniable business advantages, the misplaced assumption that serverless computing is secure has brought significant challenges. One of the important challenges to be addressed is to combat the myth – ‘providers take care of the security’ – after which the real work gets started.
Security in Serverless Computing
Provided with the infancy of serverless, security and development teams are struggling to understand and deal with the unique risks it entails. Several current-generation security systems depend on underlying servers, guest operating systems, virtual containers, virtual network interfaces, databases, and virtual machines. These underlying components are neither readily accessible nor persistent when application developers choose to implement a serverless infrastructure.
Several enterprise security teams are striving to come up with novel solutions that secure APIs and modern applications built on serverless frameworks like Google Cloud Functions, Azure Functions, and Amazon Lambda. DevOps teams are the early adopters of technology and innovators. Seeking permission to build apps with serverless is not required for DevOps teams and they are primary responders of security problems identified in serverless APIs and applications.
Serverless applications remain a blind spot for enterprise IT and security professionals. Security and IT teams have commenced weighing-in to gain increased visibility and actionable insights on new, potential risks, as organizations achieve experience and reap the financial advantages of serverless computing.
Potential Risks for Serverless Applications
Currently, most organizations are emphasizing the deployment of serverless architecture as they take their baby steps into this latest computing trend. The Cloud Security Alliance has drafted its new report – ‘The 12 Most Critical Risks for Serverless Applications 2019’ – to help IT organizations in successfully building reliable, secure, and robust applications. The drafted document offers intelligence on the most prominent risks for serverless architectures, namely,
- Function event data injection
- Broken authentication
- Insecure serverless deployment configuration
- Over-privileged function permissions and roles
- Inadequate function logging and monitoring
- Insecure third-party dependencies
- Insecure application secret storage
- Financial resource exhaustion and denial of services
- Serverless business logic manipulation
- Verbose error messages and improper exception handling
- Event triggers, cloud resources, and obsolete functions
- Cross-execution data persistency
The objective of security is to enable safe data handling, i.e., mapping out the organizational data in the serverless world. One may trust but has to verify the doings of their provider while monitoring their applications. Despite most of the issues that have been noted, it is not recommended to set policies to ebb serverless adoption. Organizations must focus on encouraging their security teams to allow businesses to benefit from new innovations with insightful data around risks.
Security teams must provide an automated analysis, which enables DevOps teams and software engineers to quickly discover & inspect all serverless and API services published and consumed by their organizations. These new APIs are considered to be the radical bond that interconnects serverless applications to all the other components.