Wow, we’re already at the sixth installment of the “Securing Serverless” blog series. Here’s a quick recap of previous episodes:
- Episode 0x0 — An overview of the unique security requirements serverless applications pose, and a thorough explanation of why WAFs are not the right solution
- Episode 0x02 — An overview of how SAST solutions work, and why current solutions present accuracy challenges when scanning true serverless applications
- Episode 0x03 — An overview of Runtime Application Self-Protection (RASP) solutions, and why these solutions are currently irrelevant and unsuitable for serverless architectures
- Episode 0x04 — The six most common CISO reactions to the words “Serverless Security”
- Episode 0x05 — How API calls from serverless functions introduce untrusted data, and why you should use behavioral protection for your serverless applications
Today’s episode deals with proactive security. But before we move to the entrée, let’s talk about the starter dish — cheese.
If you ever participated in a discussion about cyber security, I’m pretty sure you’ve heard folks mention concepts such as “defense in depth”, or the “onion layers” approach — the more layers of security you add, you reduce the risk of getting breached.
I’m a strong believer in this approach. However, I prefer to use a slightly less known model called “The Swiss Cheese Model”. Quoting Wikipedia, the model likens human systems to multiple slices of swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are “layered” behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure.
When talking about serverless applications and the Swiss cheese model — you should think of each function, and each cloud service your serverless app consumes, as a slice of Swiss cheese. Some slices will have holes (weaknesses) — that’s unavoidable. However, your responsibility is to make sure that you add more and more (security) layers, and make sure that the chances of the holes lining up and allowing a successful breach are reduced to minimum.
From Traditional to Cloud-Native
But why am I telling you all of this? Because while some traditional security solutions are unsuitable for serverless architectures (WAFs, DAST, RASP), other categories of solutions do provide benefit, and should be considered as additional security layers. As an example, scanning your source code for vulnerabilities is always a good practice (albeit they contain drawbacks, which we discussed in Episode 0x02). Another example o potentially useful solutions are cloud security monitoring tools. In fact, we listed “Inadequate Function Monitoring and Logging” in the Serverless Top 10 Most Common Weaknesses guide, since proper logging and monitoring of serverless applications does require special attention.
Cloud Security Monitoring
On a high level, cloud security monitoring solutions enable you to identify potential problems in cloud infrastructure and cloud configurations. Such solutions will scan your cloud account, and provide insights on your cloud security posture. Some solutions also use log analysis in order to detect issues or security related events in your cloud environments. The main goal of cloud security monitoring is to ensure configurations are in line with best practices for security as well as with the organization’s specific compliance requirements.
It should be noted that the critical information these tools provide will sometimes reach you when it is too late, and as such, are not a replacement for active application layer protection.
Having said that, there are two important questions that you need to ask yourself regarding such solutions:
- Will your cloud security monitoring solution provide real value for securing your serverless applications?
- Will your cloud security monitoring solution provide real protection and coverage against the types of weaknesses described in the Serverless Security Top 10 guide?
I will go out on a limb here, and say that cloud security monitoring is definitely useful. You should be monitoring your cloud infrastructure and you should definitely make sure that you are aware of any potential risks or hazards that exist in your account. However, keep in mind that when it comes to serverless applications, your cloud security monitoring solution will need to support the unique nature of serverless architectures. Such a solution will have to provide you with a complete inventory of your serverless functions and the cloud services they interact with. It will also need to point over-permissive roles and security policies which require tightening. And it will have to provide you with real-time function-level security monitoring and insights. So, when you evaluate cloud security monitoring solutions, make sure you verify their adequacy for serverless architectures.
From Monitoring to Protection
But what about proactive protection against application layer attacks? Would you ever deploy a server on the internet without placing it behind a firewall? Would you ever deploy a critical web application without protecting it with a Web Application Firewall? Are you willing to settle on log analysis or a SIEM to actively defend against attacks? The answer is obviously No.
While cloud log analysis or cloud infrastructure hardening will go a long way in helping you to reduce risk, they will certainly not provide the necessary active defense against serverless application layer attacks.
When you come to prioritize your serverless security needs — you should first consider a proactive solution, which provides the best coverage against the Serverless Security Top 10 most common weaknesses. A solution that will be able to deter any kind of application layer attacks in real time, and that will provide real time insights as to who is attacking you, where they are attacking you, and how they are attacking you, and most importantly — allow you to take action against such attacks. You can’t just stand there and look at your cloud security posture, you have to actually do something about it, proactively.
PureSec recently launched the beta of the PureSec serverless security runtime environment (SSRE) for AWS Lambda. Our product beta features a fully functional SSRE, making it the only solution to date that enables organizations to protect their serverless applications from application layer attacks in real time, with the highest accuracy.
* Cheese/Bread photo by NastyaSensei Sens from Pexels
Originally published at www.puresec.io.