Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/6/2019
10:30 AM
Ory Segal
Ory Segal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Serverless Computing: 'Function' vs. 'Infrastructure' as-a-Service

How much do companies really gain from offloading security duties to the cloud? Let's do the math.

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let's do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

 

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems

Customer Responsibility

  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection

Customer Responsibility

  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I've included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
orysegal
50%
50%
orysegal,
User Rank: Author
2/8/2019 | 4:50:01 AM
Re: Who controls policy?
You make a good point, however, when adopting FaaS/Serverless on public clouds, you have no control over the infrastructure, networking and underlying servers (I will get back to this later). As such, you can't really apply network segmentation or deploy a network firewall. Networking security in those cases is handled by the cloud provider, on a level much lower than what you control. The cloud provider is responsible for making sure that unauthorized traffic to the server/hosting OS is not allowed, and the cloud provider is responsible for only allowing API calls to invoke your functions when relevant.

Your only chance of actually controlling network connectivity is by deploying the function inside a VPC and then running a NAT gateway or a virtual firewall on an EC2 instance, but then, you have to deal with a new set of problems, not to mention that you just "de-serverlessed" (I need to trademark this term) the application.

There are alternatives to VPC, especially around outbound networking - you could use a library like FunctionShield (free), which enables you to regain controls over where/who/what the function can communicate with (proper disclosure - my team developed that library). More information on the github project: https://github.com/puresec/FunctionShield/

To your last point - application/business layer security should always remain the responsibility of the application owner, both because of liability, but also because the owner is the only one who really understands the business logic.

FaaS platforms will evolve to be more intelligent and tailored to specific use cases, and together with serverless-native app security solutions and cloud-native mind-set, I'm certain that the overall security posture is about to get a serious boost. 

 

 
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/7/2019 | 6:03:36 PM
Who controls policy?
I agree with your analysis, Ory.  The problem I see is that the FaaS split pushes a couple of items over to the provider that make no sense.  Most of the items are standard, one-size-fits-all - things like keeping up with patches, or hardening.  But anything custom - about the specific needs of one customer - belong under the customer's control and responsibility, not the provider.  Consider your items "network segmentation" and "network firewalls".  Segmentation is custom - as I build my app, I need to control what is kept separate from what.  What goes into a firewall is a statement of business intent - "I want this to talk to that, but not the other".  None of that is generic, one-size-fits-all.  If that is handed over from the customer to the provider, how does the customer specify their particular needs?

 

This, to me, is why we've seen years of evolution of exactly the cutoff you're talking about - who does which parts?  The dream is "customer only deals with customer business logic", but the practice is closer to "customer has to deal with business logic AND business-specific security controls".  This prevents the line moving too far up the stack for workloads that really matter.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3350
PUBLISHED: 2019-11-19
masqmail 0.2.21 through 0.2.30 improperly calls seteuid() in src/log.c and src/masqmail.c that results in improper privilege dropping.
CVE-2011-3352
PUBLISHED: 2019-11-19
Zikula 1.3.0 build #3168 and probably prior has XSS flaw due to improper sanitization of the 'themename' parameter by setting default, modifying and deleting themes. A remote attacker with Zikula administrator privilege could use this flaw to execute arbitrary HTML or web script code in the context ...
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.