Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/6/2019
10:30 AM
Ory Segal
Ory Segal
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Serverless Computing: 'Function' vs. 'Infrastructure' as-a-Service

How much do companies really gain from offloading security duties to the cloud? Let's do the math.

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let's do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

 

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems

Customer Responsibility

  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection
  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware
  • Secure configuration of infrastructure devices and systems
  • Regularly testing the security of all systems/processes (OS, services)
  • Identification and authentication of access to systems (OS, services)
  • Patching and fixing flaws in OS
  • Hardening OS and services
  • Protecting all systems against malware and backdoors
  • Patching and fixing flaws in runtime environment and related software packages
  • Exploit prevention and memory protection
  • Network segmentation
  • Tracking and monitoring all network resources and access
  • Installation and maintenance of network firewalls
  • Network-layer DoS protection

Customer Responsibility

  • Authentication of users
  • Authorization controls when accessing application and data
  • Log and maintain audit trails of all access to application and data
  • Deploy an application layer firewall for event-data inspection
  • Detect and fix vulnerabilities in third-party dependencies
  • Use least-privileged IAM roles and permissions
  • Enforce legitimate application behavior
  • Data leak prevention
  • Scan code and configurations statically during development
  • Maintain serverless/cloud asset inventory
  • Remove obsolete/unused cloud services and functions
  • Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I've included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/7/2019 | 6:03:36 PM
Who controls policy?
I agree with your analysis, Ory.  The problem I see is that the FaaS split pushes a couple of items over to the provider that make no sense.  Most of the items are standard, one-size-fits-all - things like keeping up with patches, or hardening.  But anything custom - about the specific needs of one customer - belong under the customer's control and responsibility, not the provider.  Consider your items "network segmentation" and "network firewalls".  Segmentation is custom - as I build my app, I need to control what is kept separate from what.  What goes into a firewall is a statement of business intent - "I want this to talk to that, but not the other".  None of that is generic, one-size-fits-all.  If that is handed over from the customer to the provider, how does the customer specify their particular needs?

 

This, to me, is why we've seen years of evolution of exactly the cutoff you're talking about - who does which parts?  The dream is "customer only deals with customer business logic", but the practice is closer to "customer has to deal with business logic AND business-specific security controls".  This prevents the line moving too far up the stack for workloads that really matter.
orysegal
50%
50%
orysegal,
User Rank: Author
2/8/2019 | 4:50:01 AM
Re: Who controls policy?
You make a good point, however, when adopting FaaS/Serverless on public clouds, you have no control over the infrastructure, networking and underlying servers (I will get back to this later). As such, you can't really apply network segmentation or deploy a network firewall. Networking security in those cases is handled by the cloud provider, on a level much lower than what you control. The cloud provider is responsible for making sure that unauthorized traffic to the server/hosting OS is not allowed, and the cloud provider is responsible for only allowing API calls to invoke your functions when relevant.

Your only chance of actually controlling network connectivity is by deploying the function inside a VPC and then running a NAT gateway or a virtual firewall on an EC2 instance, but then, you have to deal with a new set of problems, not to mention that you just "de-serverlessed" (I need to trademark this term) the application.

There are alternatives to VPC, especially around outbound networking - you could use a library like FunctionShield (free), which enables you to regain controls over where/who/what the function can communicate with (proper disclosure - my team developed that library). More information on the github project: https://github.com/puresec/FunctionShield/

To your last point - application/business layer security should always remain the responsibility of the application owner, both because of liability, but also because the owner is the only one who really understands the business logic.

FaaS platforms will evolve to be more intelligent and tailored to specific use cases, and together with serverless-native app security solutions and cloud-native mind-set, I'm certain that the overall security posture is about to get a serious boost. 

 

 
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17537
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
CVE-2019-17538
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
CVE-2019-17535
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
CVE-2019-17536
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
CVE-2019-17533
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.