Cloud

3/21/2018
11:15 AM
Guy Podjarny
Guy Podjarny
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Serverless Computing Reshapes Security

The new division of responsibility moves some security concerns off a business's plate while changing priorities for other risks.

Serverless computing is an exciting new approach in the world of cloud infrastructure that lets developers write small code functions and publish them to the cloud, where the platform runs them on demand. This new model overhauls many aspects of operations and unlocks opportunities for cost reduction, and large and small organizations are trying it out.

Alongside its operations impact, serverless computing and its underlying function-as-a-service (FaaS) platform also carry significant security implications. The new division of responsibility moves some security concerns off a business's plate while simultaneously magnifying or shuffling priorities for other risks.

Risks You Can Worry About Less
First and foremost, serverless computing, as its names implies, lowers the risks involved with managing servers. While the servers clearly still exist, they are no longer managed by the application owner, and are instead taken care of by the cloud platform operators — for instance, Google, Microsoft, or Amazon. Efficient and secure handling of servers is a core competency for these platforms, and so it's far more likely they will handle it well.

The biggest concern you can eliminate is  addressing vulnerable server dependencies. Patching your servers regularly is easy enough on a single server but quite hard to achieve at scale. As an industry, we are notoriously bad at tracking vulnerable operating system binaries, leading to one breach after another. Stats from Gartner predict this trend will continue into and past 2020. With a serverless approach, patching servers is the platform's responsibility.

Beyond patching, serverless reduces the risk of a denial-of-service (DoS) attack. No server management also means no capacity management, as FaaS automatically provisions ad hoc servers to meet incoming demand. Such optimal scaling reduces the chance of an outage, including one attempted deliberately through a DoS attack. Attacks trying to take down a server will be stopped, as the platform kills the crippled server within seconds alongside launching new ones for new clients. Serverless computing won't help against a high-volume distributed DoS attack, but the risk and damage of a DoS attack is greatly diminished.

Lastly, FaaS offers an opportunity to apply fine grain permission control. Each deployed function has to be granted explicit access to data, services, and other functions, and similar policies control who can invoke each function in the first place. Since functions are smaller than full applications, we can greatly reduce the number of code paths that access our sensitive data, as well as reduce the damage an attacker can do following a successful exploit. This granularity offers a great security opportunity, but it requires additional effort in configuring and maintaining such accurate policies.

The Risks That Bubble to the Top
Unfortunately, every architecture has its flaws, and serverless computing also triggers an increase in certain risks, caused by the statelessness and flexibility that also make it shine. In addition, by mitigating the above concerns, serverless computing draws attacker attention to other attack vectors, which remain open.

The first concern to grow with FaaS is the moving and storage of data. Since serverless forces all functions to be stateless, sensitive cached data, such as user sessions and negotiated keys, cannot be kept in memory and must be moved and stored in an external location. Moving the data risks leaking it in the process, and storing the data elsewhere requires security controls on the new database, and may have compliance implications as well. These data concerns are not new ones, but since data is moved and stored more often, the risk of a security failure grow.

Beyond data, serverless apps also make greater use of third-party services. Due to its event-driven nature, as well as the mentioned requirement that functions remain stateless, serverless applications rely more heavily on third-party services than typical apps. These services may be offered by the cloud platform itself or by external providers, and range from authentication to storage to email and messaging services. Each interaction with a third party needs multiple security controls, and the eventual dependency chain carries the risk of being as strong as its weakest link.

This third-party risk also applies to software, in the form of vulnerable open source libraries. Similar in nature to server dependencies, vulnerable application dependencies can cause serious harm, as demonstrated in Equifax being breached through a vulnerable Java library. Functions make heavy use of these libraries, most commonly pulled from npm and PyPI, and many FaaS platforms fetch them as part of their built-in provisioning. The platforms do not, however, manage these dependencies, which means you must monitor for known vulnerabilities in application dependencies yourself to remain secure.

Last but not least, a serverless approach increases your attack surface. Breaking up your applications into small functions allows for great flexibility as you combine functions in different ways but also exposes great risk. Functions may be invoked in many different execution sequences, and they can't rely on input validation, authorization, or similar controls to have already happened. To properly secure a FaaS application, make sure each function maintains its own perimeter, and invest in security libraries and processes that help make such defense in depth easier.

Is Serverless Better for Security?
Serverless computing offers an incredible opportunity accelerating the pace we develop applications while dramatically reducing the cost of operating them. With the powerful benefits it brings to the table, it seems clear it is here to stay, and its adoption will rapidly grow.

Like many things, a serverless approach doesn't clearly improve or worsen security; it simply changes priorities. Notably, it reduces the security concerns revolving servers and raises the ones related to applications. In a serverless context, worry less about capacity planning and server dependencies and more about moving data, applying permissions, and managing vulnerable application dependencies.

By adjusting our priorities and focusing on these updated concerns, we can make the reduction of servers lead to a reduction of risk.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 security track here. Save $200 off your conference pass with Promo Code DR200.

 

Guy Podjarny is CEO & Co-Founder at Snyk.io, focusing on securing the Node.js and npm world. Guy was previously CTO at Akamai, founded Blaze.io (acquired by Akamai), helped build the first Web app firewall and security code analyzer, and was in the Israeli army cyber units. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.