Image for post
Image for post

Using serverless securely and at scale with Intrinsic

Box Developers
Jun 12, 2018 · 3 min read

Box Skills is designed with a serverless architecture for hosting and executing skill functions. Skills are small functions that run based of activity in Box, like a file being uploaded to a folder. Whenever a file is uploaded to a folder that is enabled with a Box Skill, Box fires an event payload to a function deployed to a serverless platform. The function handles the incoming event payload from Box, retrieves the file, processes the file using a third-party machine learning service, and then writes the output of the processing back to the file object in Box.

Serverless computing is a relatively new technology and is ideal for our skill functions. Serverless splits a traditional server into several parts and balances all the compute processing between the client and various API endpoints. Serverless functions, deployed using frameworks like AWS Lambda, Azure Functions, Google Cloud Functions, IBM Cloud Functions, and many others, are event-driven, meaning that they only execute when invoked by an external service. In the case of a Box Skill, the event payload sent from Box can trigger the function to run whenever the trigger event occurs in Box.

Serverless computing also offers many other benefits including auto-scaling, per-request billing, and function isolation but they also present a fair amount of security and operational challenges. In particular, most traditional security tools are no longer compatible with serverless infrastructures because there is no more operational control of servers (i.e., no root access). Furthermore, these security tools lack the application context needed to prevent runtime-level attacks in a serverless function.

As we started working on the Box Skills framework and writing our skill functions, it quickly became obvious that we needed a new approach to securing our code. Traditional security technologies couldn’t meet our requirements and open source code libraries presented too much risk given Box’s focus on the enterprise. That’s where Intrinsic came in.

Image for post
Image for post

Intrinsic has built a cutting-edge language runtime security technology that leapfrogs this issue, all while providing superior security than traditional security solutions. It solves this problem as it’s embedded within the code itself. Unlike most security solutions which try to prevent runtime-level attacks using pattern matching or heuristics, Intrinsic enforces our serverless functions to behave exactly as expected.

In summary, we chose Intrinsic to secure our serverless infrastructure for Box Skills because of the following benefits:

Intrinsic safely isolates every interaction of a serverless function and its third-party dependencies from our sensitive resources via the enforcement of fine-grained security policies defined directly in the language runtime. By using Intrinsic, we’re able to secure our serverless functions in a way that traditional security tools could not.

Typically, introducing a new security tool comes with a tradeoff in time and resources. Intrinsic is extremely developer-friendly and it enabled us to break that pattern and continue to build out the Box Skills framework at a fast pace while further strengthening our security.

Intrinsic is a simple library, which makes deployment and scaling effortless for our team. We were able to integrate Intrinsic with just a few lines of code. Additionally, it remains with your code, no matter which serverless platform you use.

We’re really excited to be working with the team at Intrinsic to secure our Node.js Lambda functions. If you’re interested in learning more about Intrinsic and how you can leverage it within your company, you can visit them at

Box Developer Blog

News and stories for working with the Box APIs

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store