Serverless Security

Rohit Gupta
Rohit's Perspectives
5 min readAug 20, 2018
AWS Lambda, Google Cloud Functions, and Azure Functions have made serverless computing widely accessible

In the last 20 years, we’ve witnessed an unprecedented wave of technological abstraction: virtual machines that allowed for multiple, isolated images to run on a single piece of hardware, containers which are a form of operating system virtualization, and most recently serverless computing. Serverless security, although a nascent field, will become increasingly important as enterprises adopt serverless computing due to its many benefits.

What is Serverless Computing?

The phrase “serverless computing” seems paradoxical — how can developers build applications without servers? Similar to how Chinese checkers is neither from China nor a form of checkers, serverless computing is also a misnomer. In fact, serverless applications still require physical or virtual servers running somewhere, but serverless computing differs from traditional approaches in that the organization developing the application is not responsible for those resources. In a traditional Infrastructure-as-a-Service (IaaS) environment, developers need to provision and maintain virtual machines (VMs), storage, security, and all the other management tools that are needed. Developers then load applications onto VMs, and utilize load balancers to allocate traffic efficiently and scale them. At regular intervals, developers need to optimize instance sizes and shut down VMs that aren’t in use. These headaches are all eliminated by a serverless computing model, where code is written in functions that are triggered by events. There’s no need for load balancing, capacity planning or resource management — from the standpoint of a developer, there are just tasks being executed.

Source: PureSec

Serverless computing is a cloud-computing execution model in which the cloud provider provisions, maintains and allocates servers, and pricing is based on the number of times that functions are executed, not capacity. For this reason, some believe that Functions-as-a-Service (FaaS) is a better term. Applications can be created to be entirely serverless, and are run in stateless compute containers that are transient, event-triggered, and managed by a third party. Despite this confusion, the term “serverless” has been widely adopted since 2016, and since then has given rise to the Serverless Conference series, and the “Big Three” cloud vendors — Amazon, Google, and Microsoft — have all released serverless offerings.

What are the Benefits of Serverless?

Serverless computing is growing increasingly popular for three main reasons:

  1. No administration - Organizations do not need to provision, allocate, or maintain infrastructure resources, and can focus on core, value-added tasks.
  2. Lower costs - Instead of paying on a capacity-basis, which is woefully inefficient from a resource utilization standpoint, organizations can simply pay for what they use. There are no VMs sitting idly by for hours on end; event-driven code is executed when triggered to do so. FireEye reported saving 80% on its monthly AWS bill by using Lambda instead of EC2 instances.
  3. Auto-scaling - Horizontal scaling is completely automatic, elastic, and managed by the provider.

These benefits are why 46% of surveyed companies use serverless computing according to the Cloud Foundry 2018 report, and why serverless computing has grown by 75% in the past year according to the RightScale 2018 State of the Cloud report.

What are the Drawbacks of Serverless?

No new technology or process is perfect, and serverless is no exception. The main drawbacks of serverless computing include:

  1. Vendor lock-in - The majority of serverless solutions rely on the rest of a vendor’s cloud services: events, data storage and many other things (as well as other third party solutions). To avoid this, some organizations are using the Serverless Framework, which assembles applications into a single package that can be deployed across various cloud providers.
  2. Testing and debugging challenges - Serverless involves integrating disparate, distributed services that must be tested independently and together. Integration testing is uniquely difficult as the units of integration with this architecture are considerably smaller than that of other architectures. Moreover, serverless architectures can feature event-driven, asynchronous workflows, which are hard to emulate entirely. Digital Ocean’s report on developer trends in the cloud identifies monitoring and debugging as one of the biggest challenges developers report when it comes to serverless computing.
  3. Architectural complexity - Organizations need to make key decisions around how small the function should be, how many functions an application calls, and more. Organizations often face challenges maintaining large volumes of functions.
  4. Security - Serverless architectures pose unique security challenges, which need to be addressed.

These challenges contribute to serverless computing’s relatively low overall adoption, which is further illustrated below in Digital Ocean’s survey of over 4800 IT professionals.

Source: Digital Ocean (June 2018)

Serverless Security Challenges

Designing a security solution for serverless architectures and applications is very difficult for a few key reasons:

  • The attack surface is expanded: Serverless functions ingest data from various sources including HTTP APIs, cloud storage, IoT device communications and more. Further, some message structures cannot be inspected by standard web application firewall (WAF) capabilities.
  • Scanning tools are ineffective: Scanning tools are not adapted to serverless applications, especially when serverless applications use non-HTTP interfaces to consume input.
  • Traditional solutions don’t work: Organizations can’t use endpoint protection or host-based IPS because they don’t have access to the virtual servers or their operating systems.
  • Unique capabilities are required: Cloud API call inspection is required, which is not traditionally part of WAF or other IPS solutions. Furthermore, serverless functions are triggered by a wide range of cloud-native event types, each of which has its own message format and encoding schemes. Traditional application security solutions are incapable of inspecting cloud-native event triggers either because they cannot be deployed in-line between the service that generates the event and an organization’s functions, or they cannot parse, analyze or understand cloud-native events.

Promising Startup

PureSec

  • Founded in 2016 and has raised $3M to date, located in Israel
  • PureSec was founded by Shaked Zin (CEO), graduate of IDF’s (Israeli Defense Forces) elite Havatzalot program, and Ory Segal (CTO), former Senior Director of Threat Research at Akamai
  • PureSec offers a serverless security platform that offers end-to-end application security for serverless. It conducts vulnerability assessments using static analysis algorithms, secures the perimeter with a serverless application firewall, and employs proprietary machine learning algorithms to understand and identify anomalies in function behavior
  • PureSec supports AWS Lambda, Google Cloud Functions, Azure Functions and IBM Cloud Functions
  • Unique deployment — PureSec’s solution is also 100% serverless
  • Great marketing with Function Shield — 100% free security library that helps developers disable outbound connectivity if not required, read/write on temp directory if not required, and disable child process execution if not required by the function
  • Integrates with popular frameworks and tools like AWS CloudFormation, Splunk, Gitlab, Apex, and Jenkins

--

--