Organizations are increasingly embracing serverless computing for its convenience and cost-effectiveness. But many IT teams are blindly embracing this innovation in cloud technology without consulting their security peers. As a result, we can expect to see a growing number of cyber-attacks in this space in the new year, with criminals exploiting a lack of adequate protection to target serverless computing environments.
Serverless computing is a relatively new innovation in cloud computing that allows organizations to manage – and pay for – only the compute resources and storage needed to execute a particular piece of code. Its name is somewhat misleading, though; servers are still involved but their maintenance and provisioning are managed by the provider, freeing up developers to focus entirely on their work.
In addition to database and storage services, many serverless providers offer Function-as-a-Service (FaaS) platforms, such as AWS Lambda, Google Cloud Functions, and Microsoft Azure Functions. Typically metered on an on-demand basis, a FaaS platform allows developers to build applications comprising a number of functions in the respective serverless architecture
The various business benefits of serverless computing means its adoption is growing fast. In 2018, Gartner suggested the number of global enterprises deploying serverless technology would leap from five to twenty percent within two years. And it’s not hard to see why.
With no architecture to manage, it’s cheaper and more scalable than the traditional cloud computing model. In addition, FaaS simplifies the development process, while the ability to add and modify code as and when necessary can significantly shorten the time it takes to deploy applications.
Despite its obvious advantages, however, there are a number of concerns over its security.
Caution and visibility
Serverless architecture is very difficult for organizations to protect. Its distributed nature – essentially, the reason for its flexibility and scalability – means traditional protective products simply won’t work. Applications have moved from being functions sharing the same memory space to being loosely coupled and event-driven. Securing these functions should now be prioritized over securing applications. But, when you consider that organizations can have several hundred accounts across different providers and regions, and that each function is basically a perimeter that needs to be protected, it’s clear that a new approach is required.
There are visibility issues, too. With developers in the driver’s seat when it comes to serverless computing, it’s possible for applications to be pushed through to production in short time without being noticed by security organizations. This is especially worrying when you consider that, as serverless architecture leaves the application layer unprotected, threats to code such as cross site scripting, SQL injection, and remote command execution remain as much a risk as they ever were. Without visibility by security teams into the production pipeline, applications created in a serverless environment will be especially vulnerable.
The storage and transportation of data in serverless computing can also be problematic, in terms of its security and regulatory compliance. Data held in – stateless – serverless functions will remain cached rather than stored in memory, so extra caution must be given when moving that data from serverless services to external locations in order to avoid leakages. If, as mentioned, applications are deployed unchecked for flaws and vulnerabilities, their compromise could result in a data breach, along with the disruption and financial and reputational damage that accompanies it.
Approach with eyes open
With developers under increasing pressure to deploy more applications, at an ever-faster rate, it’s little wonder that serverless computing is quickly becoming the leading infrastructure in the software architecture space. Indeed, the benefits – flexibility, scalability, speed, and cost-effectiveness – speak for themselves.
But organizations should approach it with eyes open. Code and functions can be vulnerable and open to exploitation, putting the integrity of an organization’s applications – not to mention its reputation – at risk of harm. Serverless architecture is very different to any environment most companies will have experienced before, and should be treated as such with regard to its protection. It’s essential that developers understand that security teams need visibility – over every function, in every region, and with every provider. Without this, serverless computing will quickly become a playground for cybercriminals.