In the last 20 years, we’ve witnessed an unprecedented wave of technological abstraction: virtual machines that allowed multiple, isolated images to run on a single piece of hardware, containers that are a form of operating system virtualization, and most recently serverless computing. Despite being a nascent field, serverless security will become increasingly important as enterprises adopt serverless computing due to its many benefits.
What is Serverless Security?
Serverless security requires a paradigm shift in how organizations view application security. Instead of building security around the application itself using Next Generation Firewalls, organizations must additionally build security around the functions within the applications hosted by third-party cloud providers. This additional layer of security ensures proper application hardening and least privilege access control so each function does no more and no less than what it is designed to do – helping organizations to improve their security posture and maintain compliance.
What are the benefits?
While serverless may seem like a new security challenge, it provides more security benefits than traditional infrastructure orchestration.
Operating system, Runtime Security, and patching handled by Cloud Provider
Stateless nature gives hackers a hard time. Serverless functions run for a few seconds and then die. Serverless functions have no memory, reducing the risk of long-term attacks.
Smaller Microservices enable one to do better IAM. One has the opportunity to implement security policies for small things, and this can result in reduced attack surface.
Serverless Security Risks
Increased Attack Surfaces
Serverless functions consume input data from a variety of event sources, including HTTP APIs, cloud storage, IoT device connections, and queues. This significantly increases the attack surface, since some of these parts may contain untrusted message formats which may not be properly reviewed by the standard application layer protection. The connection links used to fetch input data (such as protocols, vectors, and functions) could be used as points of attack if their independent vulnerabilities are exposed.
Serverless applications are prone to cyber attacks due to insecure configurations in the settings and features offered by the cloud service provider. For instance, Denial-of-Service (DoS) attacks often occur in serverless applications due to misconfigured timeout settings between the functions and the host, where the low concurrent limits are used as points of attack against the application. Attackers can also exploit the function links by interjecting the function calls where they elongate the function events to execute longer than expected, allowing Denial-of-Wallet (DoW) attacks and increasing the cost of the serverless function. Using unprotected functions from public repositories (like GitHub and S3 buckets) also causes DoW attacks due to the leakage of sensitive data. This is because attackers take advantage of the exposed functions with unprotected secrets and keys that are hardcoded in the code.
Serverless applications are stateless, and the use of microservices in their architecture exposes the moving parts of the independent functions to authentication failure. For instance, if just one function’s authentication is mishandled in an application with hundreds of serverless functions, it will impact the rest of the application. Attackers could focus on one function to get access to the system through different methods, such as dictionary attacks and automated brute force.
The Threat of Over-Privileged Functions
The serverless ecosystem relies on many independent functions, and each function has its roles and permissions. The massive interaction between functions might sometimes cause functions to be over-privileged in their rights. For instance, a function that constantly accesses the database and updates other functions could be a huge risk because of its visibility to actors.
The Challenges of Serverless Security
Designing a security solution for serverless architectures and applications is very difficult for a few key reasons:
- The attack surface is expanded: Serverless functions ingest data from various sources including HTTP APIs, cloud storage, IoT device communications, and more. Further, some message structures cannot be inspected by standard web application firewall (WAF) capabilities.
- Scanning tools are ineffective: Scanning tools are not adapted to serverless applications, especially when serverless applications use non-HTTP interfaces to consume input.
- Traditional solutions don’t work: Organizations can’t use endpoint protection or host-based IPS because they don’t have access to the virtual servers or their operating systems.
- Unique capabilities are required: Cloud API call inspection is required, which is not traditionally part of WAF or other IPS solutions. Furthermore, serverless functions are triggered by a wide range of cloud-native event types, each of which has its message format and encoding schemes. Traditional application security solutions are incapable of inspecting cloud-native event triggers either because they cannot be deployed inline between the service that generates the event and an organization’s functions, or they cannot parse, analyze or understand cloud-native events.
Serverless functions pose some unique challenges to security. Monitoring and visibility are important, but often neglected, aspects of this. Developers and security teams who implement robust monitoring and alerting mechanisms can greatly improve their serverless security posture, and in so doing, can help their organizations reap the increased velocity benefits of serverless computing.