Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/19/2019
02:00 PM
Joe Vadakkan
Joe Vadakkan
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Serverless Computing from the Inside Out

The biggest 'serverless' risks don't stem from the technology itself. They occur when organizations respond to the adoption from the outside in.

Serverless computing, or function-as-a-service (FaaS), is becoming a hot new trend in the developer world. And it's easy to understand why: It brings the cloud one step closer to true "utility computing." With FaaS, developers can deploy code for individual functions on a FaaS platform such as AWS Lambda or Microsoft Azure Functions. This is far faster and more efficient than deploying entire applications, and it also enables true utility computing because organizations pay for only the resources used when functions are executed rather than paying for (and managing) an "always-on" underlying infrastructure, as when deploying applications on traditional cloud platforms.

The benefits of serverless computing (such as cost savings, reduced security overhead, and quicker time-to-release) have caused a dramatic rise in its adoption — which is expected to accelerate in the coming years. The security industry is responding to this new paradigm as it has with all other new paradigms since the beginning of Internet computing: by enumerating the various vulnerabilities and threats made possible by serverless computing, and then proposing a list of technologies to combat those vulnerabilities and threats.

This is what I call an "outside-in" approach to security: where organizations allow external threats and compliance requirements to dictate security strategy and spending. They continually switch their focus to the latest threat "flavor of the week," and throw money at the problem with new technology.

The problems with this approach are well documented. Today's bloated and unmanageable technology infrastructures are the direct result of outside-in thinking. Along with the cybersecurity skills shortage and budget limitations, these infrastructures cause gaps due to misconfigurations and mismanagement, which opens the door to security incidents.

Against this backdrop, the biggest risks do not come from serverless computing itself; they come from how organizations respond to serverless adoption. Will they inflame the cost and complexity problem by, yet again, taking an outside-in approach to security? Or will they break this cycle with a different approach?

Security from the Inside Out
Fundamentally, cybersecurity isn't about threats and vulnerabilities. It's about business risk. The interesting thing about business risk is that it sits at the core of the organization. It is the risk that results from company operations — whether that risk be legal, regulatory, competitive, or operational. This is why the outside-in approach to cybersecurity has been less than successful: Risk lives at the core of the organization, but cybersecurity strategy and spending has been dictated by factors outside of the organization with little, if any, business risk context. This is why we see organizations devoting too many resources to defend against threats that really aren't major business risks, and too few to those that are.

To break the cycle of outside-in futility, security organizations need to change their approach, so they align with other enterprise risk management functions. And that approach is to turn outside-in on its head, and take an inside-out approach to cybersecurity.

Inside-out security is not based on the external threat landscape; it's based on an enterprise risk model that defines and prioritizes the relative business risk presented by organizations' digital operations and initiatives. This model maps to the enterprise business model and enables security professionals to build security strategy and spend aimed at enabling the business rather than protecting against threats.

With this kind of model in place, the adoption of new platforms, such as serverless computing, does not become a life-altering experience. It's just a function of extending the enterprise risk model to encompass serverless initiatives, so security professionals can understand the potential business risk those initiatives might represent. Typical questions to answer during this analysis include:

  • Do the code functions in the cloud represent a source of business risk? Could they lead to business disruption or compliance violations?
  • Can the code be compromised and, if it is, what is the maximum damage that could result?
  • Can you approximate the monetary value of each code function deployed in the cloud? If so, how do those values compare with the costs associated with trying to implement security at the code level?

As with all digital initiatives, there will be business risks ranging from severe to low level, which will dictate where security organizations need to concentrate their resources. This will prevent organizations from investing scarce time and money in protecting against the typical list of potential threats coming from the security industry marketing machine, and instead focus only managing enterprise risk.

Understanding Risk from the Inside Out
By adopting an inside-out strategy to cybersecurity, organizations can readily adopt new technologies and platforms without introducing undue risk or imposing outsized burdens on the security organization. Think about it like your house — if you live in a high-crime area, you'd be wise to invest in locks and alarm systems. If you live in rural America, you're probably better served worrying more about termites than you are burglars.

Yes, it's possible a random burglar might decide to steal your TV, but it's not worth investing thousands of dollars in alarm systems to prevent what is realistically unlikely to happen, or low-risk. This may be a simplistic example, but it is accurate in relation to today's cybersecurity best practices. You should invest in a risk-based, programmatic approach and embed that strategy with orchestration and automation so that you are managing security risk in a way that is constantly evolving with technology, people, and process. Just as you should "shift left" on your security priorities and spend based on the neighborhood in which you live, you should do the same based on the risk appetite for your organization. It's all a matter of understanding your risk — from the inside out.

Related Content:

Joe Vadakkan brings more than 18 years of global infrastructure architecture and security experience, focusing on all aspects of cyber and data security to his role of global practice leader, cloud security, for Optiv. Vadakkan's expertise in information security and IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.