“For most organizations, we believe serverless PaaS adoption is a matter of when, not if — with enterprise adoption rates exceeding 90% by 2021... However, as with the adoption of VMs and containers, support for securing serverless will initially have visibility and control gaps...Further, new types of attacks will emerge against serverless PaaS, requiring new approaches and techniques.” 1
We think that Gartner’s report on Securing Serverless PaaS is released in great timing and resonates extremely well with the challenges our customers face. Security challenges that span the development life cycle, through architecture and orchestration pipelines, all the way through production runtime control and visibility. The Cloud Native Computing Foundation states in their recent August 2018 survey CNCF Survey: Use of Cloud Native Technologies in Production Has Grown Over 200% that serverless technology use is up by 22% since December 2017 and that AWS Lambda is the most used platform (70%). Gartner highlights the fact that serverless is on the horizon for many companies today, and recommends that companies looking to deploy serverless in production should follow these four steps in order to do so securely:
- Cloud-native app security
- Serverless foundation security
- Serverless development security
- Serverless Ops security
The report talks about DevSecOps as the intersection point of four winds of the serverless development and deployment. We couldn't agree more with this observation: In a similar fashion with container-based cloud-native applications, DevSecOps teams have a crucial role in framing and gluing together the developers’ mindset with serverless security best practices. Continuous integration and deployment pipelines, automatically scale out or in, cost-effective, ease of use - these are some of the benefits that DevSecOps looks into when using different tools, and the same works for serverless environments. We, therefore, see the role of DevSecOps as a crucial one, one that will surely grow as serverless adoption increases.
Serverless is just another form of architecture
The report highlights the fact that when starting to play with functions, one should embrace a cloud-native mindset. By mindset, Gartner refers to the importance of immutable infrastructure, to least privileges management and consistent protection across the compute and architecture, to name a few. Gartner thinks that serverless is “… just one possible building block in a broader approach that should be adopted for securing all cloud-native applications” which aligns greatly with Alcide’s mission to secure cloud workloads powered by VMs, containers, functions an organization chooses to employ. As a company that speaks the cloud language, we also believe that just like with VMs and containers, security solutions simply need to adjust to serverless in order to protect another piece of code that is simply more abstracted. This is because, for Alcide, VMs, containers or functions are just a vehicle for deploying and running application code: we treat them the same, and secure them in the same manner, by providing unified application-aware network policies, hunt for threats using microservice behavioral anomaly detection and leverage our always-on threat intelligence feeds. The result is a smart security that can adapt itself to any architecture.
Risk Visibility for Serverless Protection
The next step is to secure the serverless foundation which means that security controls should focus on the separation of keys and identities for better control and that security posture should be done continuously in runtime as well. It also recommends using API gateway or event broker for a secured serverless access.
Minimizing the attack surface is the ultimate goal of any security solution, and risk visibility is one way to facilitate that. Gaining visibility in distributed environments is no longer a need but rather a must. With a constantly changing serverless environment, you need to know what to secure before actually doing it. The report addresses this point several times highlighting the need to have deep visibility for better security and control over these environments.
Do use machine learning for anomaly detection
Implementing cloud-native application using Serverless as the application vehicle calls for employing detection that complements IAM and access policies. Alcide’s machine learning engine tracks individual functions builds and updates behavioral patterns, and at the same time builds, adapts and tracks a microservice as a whole. If the engine detects that an individual function instance deviates from the runtime behavioral profile, whether this was due to application vulnerability, misconfiguration, or misbehaving open source library, the alert pipeline wires the event all the way back to the owning development team in addition to the operational team which makes the DevSecOps workflow a matter of a day to day practice.
Bringing Application Segmentation to Serverless Environments with Alcide
Another approach, used by Alcide, uses a module written in C that is attached to (and called from via injection) the serverless code for application-centric network segmentation.
Gartner mentions Alcide as one of the security companies that uses runtime code injection to secure the code for micro-segmentation purpose. We built micro-perimeters at the function level to provide application segmentation for serverless, the runtime protection is “baked” into the serverless function in build time and loaded into the function process when the serverless function initializes.
By bringing developer and ops application know-how, and without requiring any changes to the development workflows the function level segmentation dramatically reduce the attack surface and the risks of losing sensitive data.
Using a combination of application security with serverless development and ops security practices, organizations can enjoy a secured serverless environment.
Cultural shift takes time, especially when dealing with people. And the intro of a DevSecOps role into the development lifecycle is no different. We strongly believe that a DevSecOps mindset can help facilitate the move to, and adoption of, serverless architecture. This is why our security platform was designed with DevSecOps in mind from day one, no matter what size and vertical the organization belongs to. The result: a consolidated platform that allows you to visualize, investigate, and mitigate risks with unified security policies designed for any cloud environment.
Ready to try out Alcide’s platform? Fill out this form here.
1. Gartner, Security Considerations and Best Practices for Securing Serverless PaaS by Neil MacDonald, 4 September 2018
2. Security Considerations and Best Practices for Securing Serverless PaaS by Neil MacDonald, 4 September 2018