Vulnerabilities / Threats

2/6/2019
10:30 AM
Ory Segal
Ory Segal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Serverless Computing: 'Function' vs. 'Infrastructure' as-a-Service

How much do companies really gain from offloading security duties to the cloud? Let's do the math.

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let's do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

 

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems

Customer Responsibility

  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection

Customer Responsibility

  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I've included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
orysegal
50%
50%
orysegal,
User Rank: Author
2/8/2019 | 4:50:01 AM
Re: Who controls policy?
You make a good point, however, when adopting FaaS/Serverless on public clouds, you have no control over the infrastructure, networking and underlying servers (I will get back to this later). As such, you can't really apply network segmentation or deploy a network firewall. Networking security in those cases is handled by the cloud provider, on a level much lower than what you control. The cloud provider is responsible for making sure that unauthorized traffic to the server/hosting OS is not allowed, and the cloud provider is responsible for only allowing API calls to invoke your functions when relevant.

Your only chance of actually controlling network connectivity is by deploying the function inside a VPC and then running a NAT gateway or a virtual firewall on an EC2 instance, but then, you have to deal with a new set of problems, not to mention that you just "de-serverlessed" (I need to trademark this term) the application.

There are alternatives to VPC, especially around outbound networking - you could use a library like FunctionShield (free), which enables you to regain controls over where/who/what the function can communicate with (proper disclosure - my team developed that library). More information on the github project: https://github.com/puresec/FunctionShield/

To your last point - application/business layer security should always remain the responsibility of the application owner, both because of liability, but also because the owner is the only one who really understands the business logic.

FaaS platforms will evolve to be more intelligent and tailored to specific use cases, and together with serverless-native app security solutions and cloud-native mind-set, I'm certain that the overall security posture is about to get a serious boost. 

 

 
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/7/2019 | 6:03:36 PM
Who controls policy?
I agree with your analysis, Ory.  The problem I see is that the FaaS split pushes a couple of items over to the provider that make no sense.  Most of the items are standard, one-size-fits-all - things like keeping up with patches, or hardening.  But anything custom - about the specific needs of one customer - belong under the customer's control and responsibility, not the provider.  Consider your items "network segmentation" and "network firewalls".  Segmentation is custom - as I build my app, I need to control what is kept separate from what.  What goes into a firewall is a statement of business intent - "I want this to talk to that, but not the other".  None of that is generic, one-size-fits-all.  If that is handed over from the customer to the provider, how does the customer specify their particular needs?

 

This, to me, is why we've seen years of evolution of exactly the cutoff you're talking about - who does which parts?  The dream is "customer only deals with customer business logic", but the practice is closer to "customer has to deal with business logic AND business-specific security controls".  This prevents the line moving too far up the stack for workloads that really matter.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.