Serverless computing, or function-as-a-service (FaaS), is becoming a hot new trend in the developer world. And it's easy to understand why: It brings the cloud one step closer to true "utility computing." With FaaS, developers can deploy code for individual functions on a FaaS platform such as AWS Lambda or Microsoft Azure Functions. This is far faster and more efficient than deploying entire applications, and it also enables true utility computing because organizations pay for only the resources used when functions are executed rather than paying for (and managing) an "always-on" underlying infrastructure, as when deploying applications on traditional cloud platforms.
The benefits of serverless computing (such as cost savings, reduced security overhead, and quicker time-to-release) have caused a dramatic rise in its adoption — which is expected to accelerate in the coming years. The security industry is responding to this new paradigm as it has with all other new paradigms since the beginning of Internet computing: by enumerating the various vulnerabilities and threats made possible by serverless computing, and then proposing a list of technologies to combat those vulnerabilities and threats.
This is what I call an "outside-in" approach to security: where organizations allow external threats and compliance requirements to dictate security strategy and spending. They continually switch their focus to the latest threat "flavor of the week," and throw money at the problem with new technology.
The problems with this approach are well documented. Today's bloated and unmanageable technology infrastructures are the direct result of outside-in thinking. Along with the cybersecurity skills shortage and budget limitations, these infrastructures cause gaps due to misconfigurations and mismanagement, which opens the door to security incidents.
Against this backdrop, the biggest risks do not come from serverless computing itself; they come from how organizations respond to serverless adoption. Will they inflame the cost and complexity problem by, yet again, taking an outside-in approach to security? Or will they break this cycle with a different approach?
Security from the Inside Out
Fundamentally, cybersecurity isn't about threats and vulnerabilities. It's about business risk. The interesting thing about business risk is that it sits at the core of the organization. It is the risk that results from company operations — whether that risk be legal, regulatory, competitive, or operational. This is why the outside-in approach to cybersecurity has been less than successful: Risk lives at the core of the organization, but cybersecurity strategy and spending has been dictated by factors outside of the organization with little, if any, business risk context. This is why we see organizations devoting too many resources to defend against threats that really aren't major business risks, and too few to those that are.
To break the cycle of outside-in futility, security organizations need to change their approach, so they align with other enterprise risk management functions. And that approach is to turn outside-in on its head, and take an inside-out approach to cybersecurity.
Inside-out security is not based on the external threat landscape; it's based on an enterprise risk model that defines and prioritizes the relative business risk presented by organizations' digital operations and initiatives. This model maps to the enterprise business model and enables security professionals to build security strategy and spend aimed at enabling the business rather than protecting against threats.
With this kind of model in place, the adoption of new platforms, such as serverless computing, does not become a life-altering experience. It's just a function of extending the enterprise risk model to encompass serverless initiatives, so security professionals can understand the potential business risk those initiatives might represent. Typical questions to answer during this analysis include:
- Do the code functions in the cloud represent a source of business risk? Could they lead to business disruption or compliance violations?
- Can the code be compromised and, if it is, what is the maximum damage that could result?
- Can you approximate the monetary value of each code function deployed in the cloud? If so, how do those values compare with the costs associated with trying to implement security at the code level?
As with all digital initiatives, there will be business risks ranging from severe to low level, which will dictate where security organizations need to concentrate their resources. This will prevent organizations from investing scarce time and money in protecting against the typical list of potential threats coming from the security industry marketing machine, and instead focus only managing enterprise risk.
Understanding Risk from the Inside Out
By adopting an inside-out strategy to cybersecurity, organizations can readily adopt new technologies and platforms without introducing undue risk or imposing outsized burdens on the security organization. Think about it like your house — if you live in a high-crime area, you'd be wise to invest in locks and alarm systems. If you live in rural America, you're probably better served worrying more about termites than you are burglars.
Yes, it's possible a random burglar might decide to steal your TV, but it's not worth investing thousands of dollars in alarm systems to prevent what is realistically unlikely to happen, or low-risk. This may be a simplistic example, but it is accurate in relation to today's cybersecurity best practices. You should invest in a risk-based, programmatic approach and embed that strategy with orchestration and automation so that you are managing security risk in a way that is constantly evolving with technology, people, and process. Just as you should "shift left" on your security priorities and spend based on the neighborhood in which you live, you should do the same based on the risk appetite for your organization. It's all a matter of understanding your risk — from the inside out.