Serverless computing (aka Function-as-a-Service) has been a boon to many enterprises: it simplifies the code development and deployment processes while improving utilization of server resources, minimizing costs and reducing security overhead.
“Serverless infrastructure adoption is growing faster than most people realize,” says Doug Dooley, COO of modern application security provider Data Theorem. “It is outpacing virtual container (e.g., Docker) adoption by more than 2X in the past 4 years. And the impact of this rapid adoption to enterprise security is substantial.”
Serverless computing and security
Serverless computing adds simplicity and a new economic model to cloud computing. By using public cloud offerings to deploy the serverless application execution model, enterprises also offload more security duties to the cloud provider.
The enterprise is left with the responsibility to secure the application layer: managing and monitoring access to the application(s) and the data, enforcing legitimate application behavior, monitoring for errors and security incidents, and so on.
But given that serverless computing is a relatively new technology, many development and security teams struggle with understanding and dealing with the unique security risks it creates.
“Many of the current generation security tools rely on being able to attach to the underlying servers, virtual machines, guest operating systems, databases, virtual containers, and virtual network interfaces,” Dooley notes.
“Once an application developer chooses to build upon a serverless infrastructure, those underlying components are no longer persistent nor readily accessible. As a result, many enterprise security teams are scrambling to come up with new solutions that will work to secure modern applications and APIs built on serverless frameworks such as Amazon Lambda, Azure Functions, and Google Cloud Functions.”
The most pressing security challenges of serverless adoption
Shadow APIs popping up within enterprise environments are definitely a concern, given that:
- Cloud providers are invested in making it easier, faster, and cheaper to build large scale applications on their platforms, and
- Serverless is software engineers’ and DevOps teams’ preferred technique for making back-end applications and APIs grow to enormous scale.
Cold-start issues and potential denial-of-wallet (DoW) attacks may present significant challenges.
The former may arise because serverless applications are accessed infrequently and may need extra time before enough instances of virtual containers and databases are able to respond in a timely fashion. Though, Dooley notes, new solutions are being developed to counteract these issues and to ensure security tools do not misdiagnose the applications as being offline.
The latter may result in massive unexpected costs.
“When a DoS attack occurs on most applications, the intended result is to cripple the application from being able to respond to new request because it is tied up and resources are overwhelmed by a large number of fake requests initiated by the DoS attacker,” he explains.
“However, in the case of serverless applications, the responsibility of scaling enough infrastructure to deal with new application requests is passed to the cloud provider. If the scaling of the serverless application does not have an upper-limit, the result of a DoS attack could be a massive financial burden to the application developer. Hence, the term denial-of-wallet due to the enterprise’s inability to sustain the high costs of this type of attack.”
But, so far, the most pressing challenge seems to be visibility.
“If you ask any IT or information security leader how many of their business applications and APIs are attached to serverless infrastructure, you will likely receive more questions than answers,” he says.
DevOps teams are the innovators and early adopters of serverless applications, and they do not need to ask permission to build applications with serverless. They are also, by default, the first responders of security issues found on serverless applications and APIs.
“[Serverless applications] are a blind spot for most enterprise IT and security leaders. But, as organizations gain experience and reap the financial benefits of using serverless, IT and security teams will start to weigh-in to gain greater visibility and insights on the new threats and potential risks of using this new architecture.”
Advice for CISOs
Despite all of the issues noted, Dooley counsels CISOs not to set policies to stop serverless adoption within the enterprise.
He believes that any attempt to do that would be as pointless as the attempts to prevent the adoption of mobile, cloud, and SaaS services, and would make the CISO be viewed as an inhibitor of innovation, savings, and business agility.
Instead, he advises them to encourage their security teams to enable the business to take advantage of new innovations like serverless with insightful data around security and risks.
“Security teams can provide automated analysis that allows software engineers and DevOps teams to quickly discover and inspect all the new serverless and API services that their organizations are publishing and consuming. These new APIs are the foundational bond that interconnect serverless applications to everything else,” he concludes.