Most enterprise-grade web applications today are deployed on serverless platforms. They allow developers to leverage the Function-as-a-Service (FaaS) model. In essence, serverless allows developers to package and deploy code without having to deal with the extensive server infrastructure.
Serverless technology is on the rise as it expedites development by outsourcing server infrastructure management to the Cloud Service Provider (CSP). The CSP, however, is only responsible for the security of the cloud and not for security in the cloud. Thus, it becomes essential to navigate the security challenges and address the risks and vulnerabilities unique to serverless architectures.
What Is Serverless Security?
Enterprises don't need to worry about infrastructure-related operations in serverless models. However, this model does not employ detection system software (IDS tools) or firewalls.
Security risks such as cross-site scripting, database injection, broken access control, insecure deserialization, or sensitive data exposure are traditionally resolved by installing and configuring firewalls, using IPS tools, or server-based protection methods. Serverless doesn't offer instrumentation agents or protection methods like key authentication or file transfer protocols. In fact, serverless security does not focus on network inspection but rather on code and behavioral protection and security protection on the client side.
To that end, serverless security has to add another layer of protection added directly to the application to secure the code functions. This helps developers improve the security posture while also driving compliance.
Common Security Challenges with Serverless
While serverless is gaining popularity, there are some common security challenges to navigate. These are:
- Increased surface attack area because serverless functions employ input data from a variety of event sources
- Insecure configurations in the settings and features offered by the cloud service provider, misconfigured timeout settings between the functions and the host, or using unprotected functions from public repositories such as GitHub or S3 buckets lead to security misconfigurations and expose serverless applications to attacks such as Denial-of-Service (DoS) attacks
- The use of microservices architecture in serverless applications can expose the moving parts of the independent functions to authentication failure. One function's authentication failure can impact the whole application and give attackers access to the system using automated brute force and dictionary attacks
- Independent functions are given services and responsibilities for particular tasks. The functions can become overprivileged with permissions or rights and can increase security vulnerability
Serverless Security – 7 Best Practices
- Map the App
Since serverless applications comprise hundreds of functions, a complete picture of the functions is crucial for robust security. Identifying the data involved in the app and its sensitivity levels, the value and impact of the data in case of an exfiltration during a breach, and identifying the services (APIs) that access the data are important consideration points.
Using WAF and API Gateways is acceptable as a broad security control. This is because WAF protection only protects functions that are triggered at the API Gateway and not when functions are triggered from different event sources, such as Notifications (IoT, SMS, and Emails), Cloud storage events, database changes, etc. Mapping the app and implementing security controls at the perimeter of the function or workload level becomes essential for security.
- Follow the Principle of Least Privilege
Excessive permissions are one of the most common misconfigurations. Instead of dedicating a single role for multiple functions, minimize privileges in independent functions and adopt a one-role-per-function practice.
Establishing 1:1 relationship with IAM roles and ensuring that the IAM policies employ the principle of least privilege boost security. This ensures that the functions only access the permissions available to them and nothing more.
- Employ API Gateways
Using API HTTPS endpoint gateways and separating data from its functions help prevent event-data injection in serverless applications. An API gateway acts as a security buffer for data fetched from various sources. It creates a separation between the serverless functions on the backend and app users on the client side.
API gateways provide extra security defenses and lower attack surface by providing several security checks using reverse proxies. Further, leveraging inbuilt security protocols such as data encryption ensures that the environment variables and stored and sensitive data are secure.
- Frequent Code Audits
Serverless offers infinite flexibility and agility to software development. However, infinite scaling and diverse triggers can also lead to tiny code errors, further leading to security vulnerabilities, especially when using third-party libraries. The vulnerabilities can evolve into denial-of-service attacks from within the application, and bugs can become major security liabilities.
Conducting frequent code audits, infusing risk-mitigating activities throughout the CI/CD pipeline, including compliance and governance, scanning for source code and dependencies for vulnerabilities, and checking for misconfigurations in code are important to boost serverless security. Automation of security checks becomes crucial here to ensure that the velocity of development is not compromised owing to a slow security check. It further ensures that attackers do not introduce malicious code in common projects.
- Ensure Airtight Access Control and Authentication
Broken authentication can leave serverless applications vulnerable to security attacks. Implementing multiple specialized access control and authentication services becomes essential to ensure that authentication protocols are rock solid and hard to penetrate.
While multi-factor authentication (MFA) is an obvious choice, employing the CSP's access control solutions such as Open ID connect, etc., along with enforcing customized password complexity requirements and policies, drive better security in serverless.
- Identify Attack Indicators
Visibility in serverless is harder since the information and resources increase here. As the functions increase in number, it gets harder to identify if everything is behaving as expected and as designed.
The number of events generated through a few functionalities is exponential. Given the number of events, it can become hard to identify the important ones. Even those familiar with serverless apps can find it hard to identify these events by scanning them manually. Advanced security tools thus become essential for greater visibility and added security.
- Reduce Third-Party Dependencies
Application dependencies, especially open-source and third-party dependencies, can make security vulnerable. Checking for and managing third-party dependencies manually is extremely challenging.
As such, checking source code reliability, ensuring that links they are referring to are secure, and checking that the components being used from open-source platforms are of the latest version become important to boost security in serverless.
Source Composition Analysis (SCA) tools also become valuable in identifying open-source vulnerabilities early in the development lifecycle. These can also help segment application into disparate services, apply the principle of least privilege and capably minimize the impact of vulnerable libraries.
The Bottom Line - Overcoming Serverless Security Challenges
Functions can be extremely short-lived and can get lost in the mix as the applications scale. It also becomes more complicated to monitor for insecure flows and malicious attempts as serverless adoption increases. Monitoring deployed functions as serverless scales thus becomes important and helps maintain the security posture.
Since serverless functions operate differently, adopting a holistic approach toward security is critical. Integrating security in the development phase guarantees authorization and proper performance while facilitating constant application review to unearth weaknesses.
Serverless brings immense velocity and agility; it has to be secured well to make sure the enterprise can reap its true benefits. While the aforementioned challenges might seem complex, they can be easily addressed by:
- Securing cloud-native workloads on serverless platforms
- Continuously securing them throughout CICD pipelines and when they're at runtime
- Abstracting the cloud agent models and baking security into the CICD pipelines and the software development lifecycle
Talk to our experts today to develop a granular understanding of serverless security best practices and drive utmost value out of your serverless initiatives.