Serverless Security: Everything You Need to Know About It

Published on Jul. 11, 2019

In the last 20 years, we’ve witnessed an unprecedented wave of technological abstraction: virtual machines that allowed for multiple, isolated images to run on a single piece of hardware, containers which are a form of operating system virtualization, and most recently serverless computing. Serverless security, although a nascent field, will become increasingly important as enterprises adopt serverless computing due to its many benefits.

What is Serverless Computing?

The phrase “serverless computing” seems paradoxical — how can developers build applications without servers? 

Similar to how Chinese checkers is neither from China nor a form of checkers, serverless computing is also a misnomer. In fact, serverless applications still require physical or virtual servers running somewhere, but serverless computing differs from traditional approaches in that the organization developing the application is not responsible for those resources. 

In a traditional Infrastructure-as-a-Service (IaaS) environment, developers need to provision and maintain virtual machines (VMs), storage, security, and all the other management tools that are needed. Developers then load applications onto VMs, and utilize load balancers to allocate traffic efficiently and scale them. At regular intervals, developers need to optimize instance sizes and shut down VMs that aren’t in use. 

These headaches are all eliminated by a serverless computing model, where code is written in functions that are triggered by events. There’s no need for load balancing, capacity planning or resource management — from the standpoint of a developer, there are just tasks being executed.

Serverless security architecture

Source: TheNewStack

Serverless computing is a cloud-computing execution model in which the cloud provider provisions, maintains and allocates servers, and pricing is based on the number of times that functions are executed, not capacity. For this reason, some believe that Functions-as-a-Service (FaaS) is a better term. 

Applications can be created to be entirely serverless, and are run in stateless compute containers that are transient, event-triggered, and managed by a third party.

Serverless security responsibility

Source: PureSec

Despite this confusion, the term “serverless” has been widely adopted since 2016, and since then has given rise to the Serverless Conference series, and the “Big Three” cloud vendors — Amazon, Google, and Microsoft — have all released serverless offerings.

What are the Benefits of Serverless Computing?

Serverless computing is growing increasingly popular for three main reasons:

  1. No administration - Developers do not need to provision, allocate, or maintain infrastructure resources, and can focus on creating applications. A survey of 19 companies found that average delivery speed increased 77% (median of 50%) after using serverless technology. 
  2. Lower costs - Instead of paying on a capacity-basis, which is woefully inefficient from a resource utilization standpoint, organizations can simply pay for what they use. There are no VMs sitting idly by for hours on end; event-driven code is executed when triggered to do so. FireEye reported saving 80% on its monthly AWS bill by using Lambda instead of EC2 instances.
  3. Auto-scaling - Horizontal scaling is completely automatic, elastic, and managed by the provider.

These benefits are why 46% of surveyed companies use serverless computing according to the Cloud Foundry 2018 report, and why serverless computing has grown by 75% in the past year according to the RightScale 2018 State of the Cloud report.

What are the Drawbacks of Serverless Computing?

No new technology or process is perfect, and serverless is no exception. The main drawbacks of serverless computing include:

  1. Vendor lock-in - The majority of serverless solutions rely on the rest of a vendor’s cloud services: events, data storage and many other things (as well as other third-party solutions). To avoid this, some organizations are using the Serverless Framework, which assembles applications into a single package that can be deployed across various cloud providers.
  2. Portability – While developers were reasonably able to lift and shift applications from on-premise to the cloud, serverless computing is not as portable due to function and memory limitations. In fact, AWS Lambda at the time of writing has a 15-minute function timeout and can support a maximum memory allocation of 3008 MB – applications that require continuous monitoring, for instance, cannot be developed in the current serverless computing environment. 
  3. Testing and debugging challenges - Serverless involves integrating disparate, distributed services that must be tested independently and together. Integration testing is uniquely difficult as the units of integration with this architecture are considerably smaller than that of other architectures. Moreover, serverless architectures can feature event-driven, asynchronous workflows, which are hard to emulate entirely. Digital Ocean’s report on developer trends in the cloud identifies monitoring and debugging as one of the biggest challenges developers report when it comes to serverless computing.
  4. Architectural complexity - Organizations need to make key decisions around how small the function should be, how many functions an application calls, and more. Organizations often face challenges maintaining large volumes of functions.
  5. Security - Serverless architectures pose unique security challenges, which need to be addressed.

These challenges contribute to serverless computing’s relatively low overall adoption, which is further illustrated below in Digital Ocean’s survey of over 4800 IT professionals.

Serverless security survey

Source: Digital Ocean (June 2018)

Despite these challenges, serverless is being evaluated and adopted fairly quickly – on par with the adoption of containers. 

Serverless security growing cloud services

Source: RightScale State of the Cloud Report (2018) 

Further, as serverless computing advances and memory allocation and timeouts extend (e.g. from 15 minutes to 1 hour), serverless computing will become an increasingly attractive option for developers that are under pressure to develop applications at lightning speed. 

The Challenges of Serverless Security

Designing a security solution for serverless architectures and applications is very difficult for a few key reasons:

  • The attack surface is expanded: Serverless functions ingest data from various sources including HTTP APIs, cloud storage, IoT device communications and more. Further, some message structures cannot be inspected by standard web application firewall (WAF) capabilities.
  • Scanning tools are ineffective: Scanning tools are not adapted to serverless applications, especially when serverless applications use non-HTTP interfaces to consume input.
  • Traditional solutions don’t work: Organizations can’t use endpoint protection or host-based IPS because they don’t have access to the virtual servers or their operating systems.
  • Unique capabilities are required: Cloud API call inspection is required, which is not traditionally part of WAF or other IPS solutions. Furthermore, serverless functions are triggered by a wide range of cloud-native event types, each of which has its own message format and encoding schemes. Traditional application security solutions are incapable of inspecting cloud-native event triggers either because they cannot be deployed in-line between the service that generates the event and an organization’s functions, or they cannot parse, analyze or understand cloud-native events.

Serverless Security Startups 

At Plug and Play, we know startups. We have talked about cybersecurity startups and, while serverless security is still a nascent space, two promising startups have emerged ready to address the aforementioned challenges. 

PureSec, which was founded in 2016 and has raised $10M to date, offers a serverless security platform that provides vulnerability assessments, a serverless application firewall, and the ability to construct function profiles and flag behaviors that are anomalous. 

On the other hand, Protego, which was founded in 2017 and has raised $2M to date, secures serverless environments by determining the permissions a function needs to complete its task and ensuring zero trust and by using behavioral analysis to identify anomalous behaviors. 

Despite the challenges that serverless computing poses today, I’m confident that we’ll witness widespread serverless adoption in the next few years as it allows enterprises to accelerate development and reduce costs. Keep reading our blog if you want to find out more about cybersecurity trends and innovation.

At Plug and Play's Cybersecurity accelerator we are in touch with corporations and startups that are changing the world as we know it. Join our platform today.

Read the rest of the collection.

Businesses are becoming more and more aware of the ever-rising threat of cybercrime. We have analyzed the main trends happening in this industry.

Find out more