Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/19/2019
02:00 PM
Joe Vadakkan
Joe Vadakkan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Serverless Computing from the Inside Out

The biggest 'serverless' risks don't stem from the technology itself. They occur when organizations respond to the adoption from the outside in.

Serverless computing, or function-as-a-service (FaaS), is becoming a hot new trend in the developer world. And it's easy to understand why: It brings the cloud one step closer to true "utility computing." With FaaS, developers can deploy code for individual functions on a FaaS platform such as AWS Lambda or Microsoft Azure Functions. This is far faster and more efficient than deploying entire applications, and it also enables true utility computing because organizations pay for only the resources used when functions are executed rather than paying for (and managing) an "always-on" underlying infrastructure, as when deploying applications on traditional cloud platforms.

The benefits of serverless computing (such as cost savings, reduced security overhead, and quicker time-to-release) have caused a dramatic rise in its adoption — which is expected to accelerate in the coming years. The security industry is responding to this new paradigm as it has with all other new paradigms since the beginning of Internet computing: by enumerating the various vulnerabilities and threats made possible by serverless computing, and then proposing a list of technologies to combat those vulnerabilities and threats.

This is what I call an "outside-in" approach to security: where organizations allow external threats and compliance requirements to dictate security strategy and spending. They continually switch their focus to the latest threat "flavor of the week," and throw money at the problem with new technology.

The problems with this approach are well documented. Today's bloated and unmanageable technology infrastructures are the direct result of outside-in thinking. Along with the cybersecurity skills shortage and budget limitations, these infrastructures cause gaps due to misconfigurations and mismanagement, which opens the door to security incidents.

Against this backdrop, the biggest risks do not come from serverless computing itself; they come from how organizations respond to serverless adoption. Will they inflame the cost and complexity problem by, yet again, taking an outside-in approach to security? Or will they break this cycle with a different approach?

Security from the Inside Out
Fundamentally, cybersecurity isn't about threats and vulnerabilities. It's about business risk. The interesting thing about business risk is that it sits at the core of the organization. It is the risk that results from company operations — whether that risk be legal, regulatory, competitive, or operational. This is why the outside-in approach to cybersecurity has been less than successful: Risk lives at the core of the organization, but cybersecurity strategy and spending has been dictated by factors outside of the organization with little, if any, business risk context. This is why we see organizations devoting too many resources to defend against threats that really aren't major business risks, and too few to those that are.

To break the cycle of outside-in futility, security organizations need to change their approach, so they align with other enterprise risk management functions. And that approach is to turn outside-in on its head, and take an inside-out approach to cybersecurity.

Inside-out security is not based on the external threat landscape; it's based on an enterprise risk model that defines and prioritizes the relative business risk presented by organizations' digital operations and initiatives. This model maps to the enterprise business model and enables security professionals to build security strategy and spend aimed at enabling the business rather than protecting against threats.

With this kind of model in place, the adoption of new platforms, such as serverless computing, does not become a life-altering experience. It's just a function of extending the enterprise risk model to encompass serverless initiatives, so security professionals can understand the potential business risk those initiatives might represent. Typical questions to answer during this analysis include:

  • Do the code functions in the cloud represent a source of business risk? Could they lead to business disruption or compliance violations?
  • Can the code be compromised and, if it is, what is the maximum damage that could result?
  • Can you approximate the monetary value of each code function deployed in the cloud? If so, how do those values compare with the costs associated with trying to implement security at the code level?

As with all digital initiatives, there will be business risks ranging from severe to low level, which will dictate where security organizations need to concentrate their resources. This will prevent organizations from investing scarce time and money in protecting against the typical list of potential threats coming from the security industry marketing machine, and instead focus only managing enterprise risk.

Understanding Risk from the Inside Out
By adopting an inside-out strategy to cybersecurity, organizations can readily adopt new technologies and platforms without introducing undue risk or imposing outsized burdens on the security organization. Think about it like your house — if you live in a high-crime area, you'd be wise to invest in locks and alarm systems. If you live in rural America, you're probably better served worrying more about termites than you are burglars.

Yes, it's possible a random burglar might decide to steal your TV, but it's not worth investing thousands of dollars in alarm systems to prevent what is realistically unlikely to happen, or low-risk. This may be a simplistic example, but it is accurate in relation to today's cybersecurity best practices. You should invest in a risk-based, programmatic approach and embed that strategy with orchestration and automation so that you are managing security risk in a way that is constantly evolving with technology, people, and process. Just as you should "shift left" on your security priorities and spend based on the neighborhood in which you live, you should do the same based on the risk appetite for your organization. It's all a matter of understanding your risk — from the inside out.

Related Content:

Joe Vadakkan brings more than 18 years of global infrastructure architecture and security experience, focusing on all aspects of cyber and data security to his role of global practice leader, cloud security, for Optiv. Vadakkan's expertise in information security and IT ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.