There’s no doubt about it - serverless (Function as a Service) adoption is skyrocketing. The adoption of serverless architectures on major cloud platforms like AWS Lambda, Microsoft Azure Functions, Google Cloud Functions and IBM Cloud Functions is growing exponentially at an estimated annual rate of 700%!. The benefits of serverless architectures are clear - organizations can innovate quickly and reduce the costs involved in development and maintenance of applications. In addition, serverless applications can scale automatically, and most importantly - you don’t have to worry about the security of the underlying platform.
Having said that, you must keep in mind that you are still responsible for securing the application layer of your serverless applications, regardless if they are deployed on a 3rd party cloud - that includes the functions’ code, business logic and configurations.
So while serverless removes the burden of managing and maintaining the security of the underlying infrastructure, your developers and IT teams basically gave away the control over the security posture of the runtime environment in which the functions execute. Moreover, traditional application security solutions, which you probably have deployed in-front and around your web applications, are unsuitable for protecting serverless functions against attacks. You simply can’t deploy them (in the most physical sense - no infrastructure => no place to deploy your application layer protections).
When I meet with organizations that adopt serverless, I’m always amazed by the fast pace at which they develop and deploy new functions to the cloud, but at the same time, I’m baffled by the fact that many organizations don’t follow application security best practices when it comes to serverless. Some say they use robust authentication schemes, or keep an audit trail of cloud API calls - that’s terrific, but you wouldn’t consider a web application secure, if all you did was authenticate users and keep logs, right?
If you are a CISO or holding a similar technology business leadership position, the first thing you need to ask yourself is - do I know if my organization is deploying serverless functions to the cloud? It sounds like a simple question to answer, but in many cases, serverless functions are deployed by developers and they are not properly tracked ("cloud shadow-IT", a topic that deserves its own blog post).
For those of you who answered the above question with a “YES”, we collected 5 simple questions, which you should be prepared to answer when the time comes:
Question 1: Did the developers in your organization receive proper education on serverless application security best practices? Are they aware of the “Serverless architectures Security Top 10” guide?
While serverless security is still “application security”, there are nuances, serverless-specific guidelines and best practices that your developers must follow. Without proper education, it’s quite possible that critical issues are not getting proper consideration and attention.
Question 2: Are the developers in your organization scanning your serverless functions’ source code and configuration files for vulnerabilities and insecure IAM permissions?
The security posture of your serverless functions depends heavily on configuration and permissions. If not done properly, a simple application layer attack can lead to severe consequences such as sensitive data leakage. In addition, developers oftentimes rely on untrusted 3rd party libraries, which may introduce vulnerabilities. Assuming your development teams have a CI/CD process in place, you should make sure that functions are never deployed before being properly scanned and hardened.
Question 3: Is your organization using a serverless application security solution to prevent application layer attacks?
Just as you won’t deploy a web application to the cloud, without protecting it against application layer attacks - you shouldn’t deploy functions to the cloud without any protection. Serverless functions may experience cyber attacks - just like any application. However, since your developers and IT teams have no access or control over the infrastructure, they are incapable of deploying modern application layer protections such as web application firewalls (WAFs), EPP, IDP/IPS or RASP solutions. Your teams should already start evaluating serverless application security solutions.
Question 4: Do you have knowledge of all your organization’s serverless functions, where they are deployed, what’s their purpose, were they assigned a least-privileged IAM role that only allows them access to the resources they require?
Many organizations use public cloud infrastructure - some even have numerous cloud accounts, that are in use by different divisions. Each such account may have dozens or hundreds of deployed functions, scattered among different global regions. At any moment in time, you should have the knowledge and tools to help you gain visibility into your serverless inventory. After all, you can’t protect what you don’t know about.
Question 5: If someone attempted to attack your serverless applications, would you know about it? Are you monitoring functions for application security incidents?
In security, visibility is the name of the game. No visibility, doesn’t mean you are not getting targeted. Make sure that you have the right visibility into your serverless functions, and that you are collecting and analyzing application security events at all times.
Serverless doesn’t mean “careless” - when you deploy software to the cloud, you are still responsible for securing the application layer, even if someone else is responsible for the security of the underlying platform. Make sure your organization follows application security best practices as early as possible, don’t wait until it’s too late and you have hundreds of functions deployed - regain control over your serverless application security posture.
If you want to learn more about the top serverless risks and security best practices, we highly recommend reading the SERVERLESS ARCHITECTURES SECURITY TOP 10 guide.