Serverless architecture is becoming popular with many organizations. According to CB Insights, serverless computing was already the fastest-growing cloud services segment back in 2018. It is set to grow even bigger with the acceleration of digital transformation and the online migration of most businesses.
Adopting a serverless architecture creates the benefits of having an automated system with virtually infinite scalability. There are very minimal limitations that get in the way between developers and their codes. Also, the amount spent for the application operation resources is based on what is consumed, not some flat rate that tends to be very inefficient for most companies.
The move towards serverless, however, is posing new challenges, especially on the security front. Notably, serverless architectures are known for their lack of security visibility. This is mainly due to the lack of a public-facing endpoint or URL for functions, referred to as “no-edge blindness.”
The concept of serverless results in the abstraction of the infrastructure, wherein conventional application security solutions are unable to draw context from the network and virtual machines. They cannot obtain useful information that allows them to perform their functions accurately. Hence, application security testing results are bound to have significantly reduced precision, ineffective even.
The need for special security protection
To make sure that serverless does not become a bane for the organizations that adopt it, it is crucial to implement the appropriate cybersecurity tools and mechanisms. Having the right serverless security protection means the ability to detect security blind spots on serverless functions and ensure full visibility as well as rapid mitigation.
Serverless security protection calls for a major change in the way organizations perceive app security. Instead of establishing parameter defenses around apps with next-generation firewalls, for example, it is advisable to put up protections within the apps themselves around the functions of the apps. By doing this, applications attain a security “hardening” with the added benefit of least privilege access control, which makes sure that app functions are limited to what they are supposed to do in specific instances.
There are enhanced cybersecurity solutions that are specifically designed to handle the security needs of serverless setups. One of their highlight features is comprehensive visibility, which aims to address various security posture weaknesses such as unauthorized network activity, the logging of sensitive data, weak browser caching, exceptions that have been neglected and become potential exploit points, weak authentication, vulnerable dependencies, and poorly secured cookies and transport.
Special serverless security protection also creates defenses against various attacks such as path traversal, HTTP response splitting, malformed content types, and unvalidated redirects. Additionally, it is designed to work against injection threats including cross-site scripting, cross-site request forgery, SQL injection, OGNL injection, CSS and HTML injection, command injection, and JSON and XML injection.
The security visibility challenge
Security visibility under a serverless architecture is significantly more challenging. The reason for this is the exponential increase of security data generated because of the number of resources involved when using a serverless setup. The deluge of data makes it very difficult to make sense of all the security events and threat signals. The logs and alerts can reach millions in a day, making it difficult to extract the most important information under conventional methods.
The presence of more resources to deal with also means that there are more permissions to manage. Determining the appropriate permissions to give for various interactions involving numerous resources can be very difficult. As suggested earlier, it would require a specialized security solution that involves automation and artificial intelligence to make the security efficient and agile enough to respond to emerging threats.
Moreover, there are serious challenges when it comes to the observability of serverless applications. Serverless apps usually employ different services from multiple cloud providers across different regions and cloud versions. This situation complicates the understanding of attack surfaces and the detection of risks. It would be necessary to have a security system that is capable of comprehensively overseeing the entire serverless ecosystem, including the different clouds used. Building and maintaining a security-centered view of the serverless ecosystem can be very challenging as the app propagates.
Observability is not just about getting a snapshot of a code or operation of an application. It entails full end-to-end visibility. “Observability is a state achieved through instrumentation of the application so that developers have enough information to tackle the unknowns,” as serverless and chaos engineering expert Emrah Samdan explains.
“Observability is essential for building a maintainable system,” Samdan adds. With the visibility challenges posed by serverless, it is essential to use enhanced security solutions that can competently examine machine characteristics along with coherent stack traces that reveal control flow paths. Also, it is important to have a security system that works with the ephemeral nature of applications and the disparity of event-driven functions.
Choosing the right solutions
Organizations with experienced cybersecurity teams or IT departments may develop their bespoke strategies to keep up with the challenges of going serverless. However, for most organizations, it would be more efficient to rely on existing serverless security solutions.
It is advisable to use the solutions offered by established security providers. However, it is also essential to understand what to look for. In particular, the ability to achieve comprehensive security visibility should be carefully examined.
A good serverless defense system should have robust logging and visibility features, including the following:
- The ability to classify attacks by category, events, and severity
- Monitoring of network activities such as HTTP requests and responses, IP addresses, and host information
- Insights into app operation including filename, line number, user session, and code execution
- Tracking of operating system activities including process execution and file reads and writes
- Database monitoring, including query execution
- Support for multiple cloud platforms and runtimes
Securing an increasing number of attack surfaces
Adopting the serverless architecture to build more fine-grained applications has many advantages, but it also greatly increases the attack surfaces. Before, developers only had to worry about some possible attack entry points or attack surfaces with numerous functions behind them. With serverless, it is the opposite; there are more entry points for a few or a single function. Apps are divided into small parts or microservices that need to be secured individually instead of having parameter defenses around apps.
Conventional security solutions are certainly not going to suffice. It is reassuring to know, though, that there are many reliable third-party solutions that can be readily deployed to address serverless security challenges, especially for organizations with limited expertise and experience when it comes to serverless security.