What is Serverless Security? Architecture, Challenges, and Best Practices

Serverless computing allows developers to write and deploy code without needing to manage the underlying infrastructure. The cloud services provider (CSP) manages the underlying infrastructure and bills the customer on a pay-per-usage basis. Serverless computing is increasingly popular due to its ability to make full use of cloud flexibility and scalability. With as-needed access to cloud resources, serverless applications can scale with demand while minimizing cost.

However, the unique architecture and deployment environment of serverless applications introduce their own security risks, such as complex permissions management and limited visibility into ephemeral applications. In addition to traditional cloud security tools and controls, organizations also require serverless security tools and controls designed to address these unique needs.

What is Serverless Architecture?

In a serverless cloud architecture, the cloud provider offers a managed environment where cloud customers can deploy their code. 

Some of the advantages that it provides to businesses include:

  • Faster Development: With serverless architectures, the development team is only responsible for writing the application code. The responsibility for infrastructure configuration and management lies with the cloud provider, speeding time to market.
  • Scalability: Serverless architectures dynamically allocate resources to an application when they are necessary. This enables applications to scale rapidly to meet demand.
  • Cost Savings: Resource utilization in serverless environments is billed under a pay-per-usage model. Only paying for the resources that the business actually uses can create cost savings for the organization.
  • Improved Performance: Serverless applications are lightweight and don’t require the company to manage the underlying infrastructure.  This allows the organization to deploy them wherever they have customers, decreasing latency and improving performance.

Serverless architectures can be used for various purposes within the organization. A few common use cases include:

  • Web Applications and APIs: Serverless apps are frequently used to implement backend functionality for web applications. Serverless authentication, database management, and other server-side tasks can be easily scaled and managed if implemented as serverless functions.
  • Internet of Things (IoT) Management: IoT devices can send large volumes of data to backend infrastructure at unpredictable intervals. Serverless applications are well-suited to managing these tasks since resources can be allocated to address them as needed.
  • Event-Driven Systems: Some tasks are triggered by external events, such as the receipt of an email or a sales transaction. Serverless functions can handle these tasks without continually running a server process in case it is required.

Unique Security Challenges in Serverless Environments

Serverless cloud environments inherit many of the traditional security challenges of cloud computing. However, their unique architecture, deployment environment, and use cases introduce additional security risks, including:

  • Increased Attack Surface: Serverless applications commonly interact with a range of different systems, including APIs, cloud storage, IoT devices, and more. Each of these interfaces expands the digital attack surface and may introduce new vulnerabilities into the overall system.
  • Complex Permissions Management: Serverless architectures are composed of microservices that are connected together. This makes permissions management and access controls complex since a permission error in one component can affect every application that uses it.
  • Visibility Challenges: The many different microservices that make up a serverless architecture are only active when they are needed. The fragmented, interconnected nature of microservices architectures and use of ephemeral resources make it difficult to maintain full visibility into a serverless environment.
  • Shared Responsibility: While all cloud deployments need to cope with the shared responsibility model, serverless architectures take it to an extreme. While developers still write their own applications — unlike SaaS — they rely on the cloud provider to provision and manage all of the resources used by their application.

One security incident that demonstrates the complexity of serverless security involved the Strava fitness tracking app. The company released a global heatmap of users’ athletic activity — derived from aggregated data — that revealed sensitive information, such as military maneuvers and users’ home addresses. This incident demonstrated the complexity of managing and properly anonymizing sensitive information such as users’ GPS data.

Integrating Security into the Serverless Application Development Lifecycle

In a serverless architecture, an organization is primarily responsible for the security of the code that it develops. Some best practices for building security into the serverless software development lifecycle 

(SDLC) include the following:

  • Shift-Left Security: Shift-left security focuses on moving security earlier in the SDLC. Instead of only considering security during the Testing phase of the SDLC, shift-left encourages building security-focused requirements and working toward them through the entire SDLC. This reduces the cost and impact of vulnerabilities and the risk that they reach production code.
  • DevSecOps: DevSecOps is focused on integrating security into traditional DevOps workflows. This includes performing automated security testing as part of CI/CD pipelines so that vulnerable code isn’t accepted into code repositories.
  • Continuous Monitoring: Serverless applications differ significantly from traditional software, but they too are potentially vulnerable to attack. These applications should undergo continuous monitoring by tools capable of overcoming their unique security challenges.
  • Change Management: Serverless architectures can evolve rapidly, and changes can introduce new vulnerabilities. Having strict change management processes in place helps to prevent vulnerable code from being deployed without proper security testing.
  • Communication and Collaboration: Collaboration between the development, security, and operations teams helps to maximize the probability of success. Vulnerabilities found in production can be fed back to the development team, enabling them to avoid them in the future.

Tools and Platforms for Serverless Security

Serverless applications require security solutions geared toward their unique needs. There are both open-source — such as Kubeless — and vendor-specific solutions.

When evaluating serverless security tools and platforms, some things to look for include:

  • Vulnerability Scanning: Code vulnerabilities are a major serverless security threat, so tools should offer support for automated vulnerability scanning.
  • Identity and Access Management (IAM): Interactions between functions may result in unauthorized access without the ability to enforce least privilege access controls.
  • Logging and Monitoring: Serverless security tools should offer complete, integrated visibility into serverless function execution and events.
  • Compliance Support: Security tools should offer support for regulatory compliance reporting.

When selecting a serverless security tool, scope can be as important as the features that it provides. If your organization has serverless applications spread across multiple cloud platforms, selecting a tool that can manage and secure all of them will enhance security visibility and management.

Serverless Security in the Context of Cloud Security

Any organization with serverless functionality needs a holistic cloud security strategy, and this includes serverless security. In addition to managing the unique security risks of serverless technology, it’s also important to consider their role in the cloud architecture as a whole. 

Serverless security solutions should integrate with:

  • Identity and Access Management (IAM): Microservices architectures are all about interconnecting various pieces to build a complete application. Integrating IAM capabilities is essential to prevent unauthorized access to sensitive data or functionality.
  • Data Protection: Serverless functions can process sensitive information and store it in the cloud. Controls should be in place to protect this data based on its sensitivity and regulatory requirements.
  • Network Security: Serverless applications can communicate with other applications both inside and outside the corporate cloud. Network security solutions are essential to monitoring traffic for unauthorized access, misuse, and potential exploitation.
  • Multi-Cloud Security: Serverless functions enable communication and collaboration across multiple cloud environments. Multi-cloud security capabilities are essential to ensure consistent visibility and security across an organization’s entire environment.

Designing a Secure Serverless Architecture: Best Practices

Some best practices to build a secure and resilient serverless architecture include:

  • Secure Coding: Serverless development teams should follow security best practices and perform regular code reviews. This helps to prevent vulnerabilities from happening or to identify and correct them while the software is still in development.
  • Least Privilege Access: Permissions and access controls should implement the principle of least privilege, granting the minimum set of permissions that a serverless function needs to perform its role. This reduces the risk of unauthorized access and the damage that can be done using a compromised serverless application.
  • Secrets Management: Serverless functions need access to certain secrets — API keys, passwords, etc. — to access accounts and perform certain functions. Many cloud providers offer native secrets management solutions for their customers. For example, AWS has AWS Secrets Manager and Microsoft has Azure Key Vault. This serves as a better approach to securing secrets than hardcoding them into an application.
  • Monitoring, Logging, and Auditing: Visibility in serverless environments can be difficult due to the numerous ephemeral workloads. Implementing good logging and performing regular monitoring and auditing can help to identify potential issues before they become a problem.
  • Incident Response Planning: Serverless functions operate in a very different environment and fashion than traditional applications. Organizations should proactively plan how they will respond to any security incidents discovered in these environments.
  • Compliance and Governance Considerations: Serverless functions may have access to sensitive data and be in scope for regulatory compliance requirements and audits. Teams should identify applicable regulatory requirements and ensure that they are compliant.

Roles and Responsibilities for Serverless Security

Serverless security is cloud security, and the cloud shared responsibility model applies. Multiple stakeholders share responsibility for serverless security, including:

  • Developers: In a serverless environment, an organization is primarily responsible for the code that it deploys in the cloud. Developers should follow code security best practices and perform regular security tests to minimize the number of vulnerabilities that reach production code.
  • Cloud Provider: In a serverless architecture, the cloud provider is responsible for all of the resources that it makes available to customers’ applications. These resources should be implemented and managed in line with security best practices.
  • Operations: Operations personnel are responsible for the deployment and management of serverless functions in the cloud. While the cloud provider is responsible for much of the underlying infrastructure, the operations team needs to ensure that code is properly deployed and that configuration options are set correctly and securely.
  • Security Teams: Despite the development and operations teams’ best efforts, vulnerabilities may still exist in an organization’s production programs. The security team should perform regular vulnerability scans and penetration testing and should monitor for any attempted exploitation of an organization’s serverless functions.

While the various teams inside an organization each have their own security responsibilities, there is overlap and synergy between them as well. By fostering a culture of collaboration and shared responsibility, an organization can reduce its overall security risk exposure by having the various teams learn from one another.

At a higher level, the company as a whole also has responsibilities for managing its serverless security. One of these is ensuring that personnel have the needed serverless security knowledge and skills by offering training and skills development opportunities. Another is establishing clear policies, procedures, and governance frameworks to ensure that personnel know their responsibilities and how to perform tasks in compliance with corporate security policy.

Conclusion and Next Steps

Serverless applications have unique security risks and require targeted serverless security controls. These involve both security solutions geared toward monitoring and managing serverless applications and integration of serverless security with the organization’s existing cloud IAM, data protection, and network security controls.

Serverless architectures can be complex and difficult to monitor and secure, especially when they span multiple cloud platforms. Being proactive and taking an integrated multi-cloud approach to security — rather than implementing processes and controls for each cloud platform — is the most effective way to manage this security.

The first step in developing a serverless security strategy is setting security goals. Performing an audit and risk assessment of your organization’s existing serverless footprint and security strategy is a good way to identify any potential gaps that need addressing.

Cato SASE Cloud simplifies serverless security by offering converged network monitoring and access management across an organization’s multi-cloud environments. With SASE, companies can identify and block attempts to exploit vulnerable serverless applications and implement granular access management with zero-trust network access (ZTNA).