Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/19/2019
02:00 PM
Joe Vadakkan
Joe Vadakkan
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Serverless Computing from the Inside Out

The biggest 'serverless' risks don't stem from the technology itself. They occur when organizations respond to the adoption from the outside in.

Serverless computing, or function-as-a-service (FaaS), is becoming a hot new trend in the developer world. And it's easy to understand why: It brings the cloud one step closer to true "utility computing." With FaaS, developers can deploy code for individual functions on a FaaS platform such as AWS Lambda or Microsoft Azure Functions. This is far faster and more efficient than deploying entire applications, and it also enables true utility computing because organizations pay for only the resources used when functions are executed rather than paying for (and managing) an "always-on" underlying infrastructure, as when deploying applications on traditional cloud platforms.

The benefits of serverless computing (such as cost savings, reduced security overhead, and quicker time-to-release) have caused a dramatic rise in its adoption — which is expected to accelerate in the coming years. The security industry is responding to this new paradigm as it has with all other new paradigms since the beginning of Internet computing: by enumerating the various vulnerabilities and threats made possible by serverless computing, and then proposing a list of technologies to combat those vulnerabilities and threats.

This is what I call an "outside-in" approach to security: where organizations allow external threats and compliance requirements to dictate security strategy and spending. They continually switch their focus to the latest threat "flavor of the week," and throw money at the problem with new technology.

The problems with this approach are well documented. Today's bloated and unmanageable technology infrastructures are the direct result of outside-in thinking. Along with the cybersecurity skills shortage and budget limitations, these infrastructures cause gaps due to misconfigurations and mismanagement, which opens the door to security incidents.

Against this backdrop, the biggest risks do not come from serverless computing itself; they come from how organizations respond to serverless adoption. Will they inflame the cost and complexity problem by, yet again, taking an outside-in approach to security? Or will they break this cycle with a different approach?

Security from the Inside Out
Fundamentally, cybersecurity isn't about threats and vulnerabilities. It's about business risk. The interesting thing about business risk is that it sits at the core of the organization. It is the risk that results from company operations — whether that risk be legal, regulatory, competitive, or operational. This is why the outside-in approach to cybersecurity has been less than successful: Risk lives at the core of the organization, but cybersecurity strategy and spending has been dictated by factors outside of the organization with little, if any, business risk context. This is why we see organizations devoting too many resources to defend against threats that really aren't major business risks, and too few to those that are.

To break the cycle of outside-in futility, security organizations need to change their approach, so they align with other enterprise risk management functions. And that approach is to turn outside-in on its head, and take an inside-out approach to cybersecurity.

Inside-out security is not based on the external threat landscape; it's based on an enterprise risk model that defines and prioritizes the relative business risk presented by organizations' digital operations and initiatives. This model maps to the enterprise business model and enables security professionals to build security strategy and spend aimed at enabling the business rather than protecting against threats.

With this kind of model in place, the adoption of new platforms, such as serverless computing, does not become a life-altering experience. It's just a function of extending the enterprise risk model to encompass serverless initiatives, so security professionals can understand the potential business risk those initiatives might represent. Typical questions to answer during this analysis include:

  • Do the code functions in the cloud represent a source of business risk? Could they lead to business disruption or compliance violations?
  • Can the code be compromised and, if it is, what is the maximum damage that could result?
  • Can you approximate the monetary value of each code function deployed in the cloud? If so, how do those values compare with the costs associated with trying to implement security at the code level?

As with all digital initiatives, there will be business risks ranging from severe to low level, which will dictate where security organizations need to concentrate their resources. This will prevent organizations from investing scarce time and money in protecting against the typical list of potential threats coming from the security industry marketing machine, and instead focus only managing enterprise risk.

Understanding Risk from the Inside Out
By adopting an inside-out strategy to cybersecurity, organizations can readily adopt new technologies and platforms without introducing undue risk or imposing outsized burdens on the security organization. Think about it like your house — if you live in a high-crime area, you'd be wise to invest in locks and alarm systems. If you live in rural America, you're probably better served worrying more about termites than you are burglars.

Yes, it's possible a random burglar might decide to steal your TV, but it's not worth investing thousands of dollars in alarm systems to prevent what is realistically unlikely to happen, or low-risk. This may be a simplistic example, but it is accurate in relation to today's cybersecurity best practices. You should invest in a risk-based, programmatic approach and embed that strategy with orchestration and automation so that you are managing security risk in a way that is constantly evolving with technology, people, and process. Just as you should "shift left" on your security priorities and spend based on the neighborhood in which you live, you should do the same based on the risk appetite for your organization. It's all a matter of understanding your risk — from the inside out.

Related Content:

Joe Vadakkan brings more than 18 years of global infrastructure architecture and security experience, focusing on all aspects of cyber and data security to his role of global practice leader, cloud security, for Optiv. Vadakkan's expertise in information security and IT ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5124
PUBLISHED: 2020-01-25
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.50005. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered fro...
CVE-2019-5146
PUBLISHED: 2020-01-25
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13025.10004. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered fro...
CVE-2019-5147
PUBLISHED: 2020-01-25
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13003.1007. A specially crafted pixel shader can cause a denial of service. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from...
CVE-2019-5183
PUBLISHED: 2020-01-25
An exploitable type confusion vulnerability exists in AMD ATIDXX64.DLL driver, versions 26.20.13031.10003, 26.20.13031.15006 and 26.20.13031.18002. A specially crafted pixel shader can cause a type confusion issue, leading to potential code execution. An attacker can provide a specially crafted shad...
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...