Serverless/ Lambda CyberSecurity: Unhinged realities and magnitude impacts
These past six months I have had the privilege of developing and building the cybersecurity strategy for the global digital products of a industry leader. We are working with traditional end-client products, serverless architecture (i.e., Amazon Lambda), IoT, and our own developed firmware that used by millions everyday. While I cannot share much of the success, technology, and methods fully, I aim to share what I can for our community.
One aspect of this experience has been the exploration and discovery of the most ideal strategy and practical safeguards to ensure maximum customer experiences across these extreme environments. My intention is to share these insights to encourage debate and development. Much like any discovery, perspectives from different multiple individuals creates the greatest utility.
Having crafted digital strategies over the past decade, I was surprised how classic concepts and assumptions were easily challenged. Here are a few that top my moleskin notebook:
- Roles and classic ownership disappear
- Third parties are the product now
- Permanency doesn’t exist, so don’t look for it
Greater detail of each of these observations I’ll share for a future reflection, as they deserve their own deep dive given their complexity. To share some leads to help your own environment better, here is what I have seen for each of these components.
— The RACI in a classic sense needs to be rebuilt. A solid first step is to reframe the areas of concern (the left column) to match your cybersecurity policy and app strategy elements. The roles should drill into the product principals and that authority chain.
— Build a dependency inventory of the libraries, services, managed services, integrators, shims, and digital elements of your product. This requires patience and following the rabbit hole. Start with an XLS and move to something more dynamic and automatic to be sustainable long term.
— Flux is the nature of digital products and the honeymoon of web apps or smartphone apps with single platform and standards are gone. Adjusting the safeguard concepts; risk analysis flows, and honestly finding ways to accelerate product innovation and architecture discussions is the key to success here.
In a serverless environment calls and services can grow exponentially, in fact, magnitudes faster and more complex than most expect. As a result, innovation and buildout of these environments must be matched by similar innovation and responsiveness from across the organization. Those who have proven successful partners in this process include:
- technical engineers actually writing the code of the product
- team members who wrote the shims / interfaces between product and these serverless environments
- hosting providers (Amazon in many cases) and their services to unearth data necessary for performance improvement, forensics, and analytics
How have you changed your risk management analysis with serverless architecture?
What new goals have been set with regard to these new digital solutions?
What is the tolerance level for impact to your customer’s experience with regard to quality and faults?
How are you using patterns and anti-patterns to discover faults in the transaction and performance of these REST end-points?
Just a few questions to consider…