Using serverless securely and at scale with Intrinsic

Box Skills is designed with a serverless architecture for hosting and executing skill functions. Skills are small functions that run based of activity in Box, like a file being uploaded to a folder. Whenever a file is uploaded to a folder that is enabled with a Box Skill, Box fires an event payload to a function deployed to a serverless platform. The function handles the incoming event payload from Box, retrieves the file, processes the file using a third-party machine learning service, and then writes the output of the processing back to the file object in Box.

Serverless computing is a relatively new technology and is ideal for our skill functions. Serverless splits a traditional server into several parts and balances all the compute processing between the client and various API endpoints. Serverless functions, deployed using frameworks like AWS Lambda, Azure Functions, Google Cloud Functions, IBM Cloud Functions, and many others, are event-driven, meaning that they only execute when invoked by an external service. In the case of a Box Skill, the event payload sent from Box can trigger the function to run whenever the trigger event occurs in Box.

Serverless computing also offers many other benefits including auto-scaling, per-request billing, and function isolation but they also present a fair amount of security and operational challenges. In particular, most traditional security tools are no longer compatible with serverless infrastructures because there is no more operational control of servers (i.e., no root access). Furthermore, these security tools lack the application context needed to prevent runtime-level attacks in a serverless function.

As we started working on the Box Skills framework and writing our skill functions, it quickly became obvious that we needed a new approach to securing our code. Traditional security technologies couldn’t meet our requirements and open source code libraries presented too much risk given Box’s focus on the enterprise. That’s where Intrinsic came in.

Intrinsic has built a cutting-edge language runtime security technology that leapfrogs this issue, all while providing superior security than traditional security solutions. It solves this problem as it’s embedded within the code itself. Unlike most security solutions which try to prevent runtime-level attacks using pattern matching or heuristics, Intrinsic enforces our serverless functions to behave exactly as expected.

In summary, we chose Intrinsic to secure our serverless infrastructure for Box Skills because of the following benefits:

Enterprise-grade security

Intrinsic safely isolates every interaction of a serverless function and its third-party dependencies from our sensitive resources via the enforcement of fine-grained security policies defined directly in the language runtime. By using Intrinsic, we’re able to secure our serverless functions in a way that traditional security tools could not.

Productivity increase: developer & security teams working better together

Typically, introducing a new security tool comes with a tradeoff in time and resources. Intrinsic is extremely developer-friendly and it enabled us to break that pattern and continue to build out the Box Skills framework at a fast pace while further strengthening our security.

Ease of deployment and portability

Intrinsic is a simple library, which makes deployment and scaling effortless for our team. We were able to integrate Intrinsic with just a few lines of code. Additionally, it remains with your code, no matter which serverless platform you use.

We’re really excited to be working with the team at Intrinsic to secure our Node.js Lambda functions. If you’re interested in learning more about Intrinsic and how you can leverage it within your company, you can visit them at