Serverless Computing Security Considerations

One of the latest approaches to client server computing is going ‘serverless” – a move from ‘DevOps’ to ‘NoOps’. In serverless computing, the developers use code to simply create instances.  Serverless computing is a cloud computing execution model in which the cloud provider runs the server and dynamically manages the allocation of machine resources.

The advantages are obvious. With no hardware or operating system to manage, changes, updates, scaling, can all happen at breakneck speed. Maintenance and security from the OS back to the hardware is all a ‘no decision’ lack of friction approach enabling businesses to devote their resources to other needs.

Overview of benefits:

  • No more need to patch servers. The cloud provider does this, and does it better than most could.
  • Harder to attack. As execution runs in containers,  the persistent nature of attacks becomes less likely.
  • The compartmental nature of it allows you to ‘see’ each function as a stand-alone to focus and more easily spot rogue processes.
  • Better control of permissions. Each function can have it’s own security policy for better control of what process can and can’t do.

Challenges with serverless computing:

  • Muddling of the edge. Because of the nature of each function being its own thing, its harder to define the edge. In typical client server architecture, it looks like a house with doors and windows in. With serverless the entire surface of the application can be an entry point.
  • As with many things, the good can also be a challenge. Each function should have a separate profile and separate permissions. If this is not done methodically and documented well, sprawl can allow for a security breach.
  • Underlying vulnerabilities. While it is true that not having to be concerned with the OS and so forth, there are libraries or repositories that get pulled from Python or Java, which can bring in their own vulnerabilities.
  • Coding errors. Poorly written code could lead to a security breach. Container re-use is also if developers use a container as a template and the template is not hardened properly you will propagate your security issues.

Each of these challenges has answers and can be mitigated with the proper approach and knowledge of the potential issues followed by continued good process. The important part is knowing that serverless doesn’t mean “security less”.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.