Going serverless? Prepare for a shake-up in security

Dive Brief:

Before a company can commit to a serverless infrastructure, it needs a clear outline of the technology stacks it intends to use as the foundation for further build outs, said Gadi Naor, CTO of Alcide, in an interview with CIO Dive.
While moving to the cloud ultimately reduces operational costs, it can corrupt existing security practices. Large companies often have less trouble managing serverless functions on top of a controlled infrastructure, but smaller companies often lack the bandwidth to do so, so they rely heavily on a cloud provider's operations, according to Naor.
As a whole, serverless architectures invite security risks including more surface attacks and an overall reduction in security testing due to the interactions between applications with back-end cloud services and storage, according to a 2018 PureSec report.

Dive Insight:

Companies are no longer asking "if" they shift to a serverless infrastructure. Now it's a matter of "when." Already about half of companies use more than one IaaS provider with the most popular public/public combination serviced by AWS and Azure.

But delivering development experiences on architecture that is based on the cloud forces DevOps engineers to decide which platform is best for innovation without compromising too much security, whether it is a public, private or a hybrid model.

A serverless environment means many "moving parts" and organizations can "quickly lose control" when DevOps teams are tasked with engaging with a cloud instead of their on-premise servers, according to Naor.

Security teams often face having practices that "pretty much break" when they move to serverless solutions, said Naor. For example, if a company is operating its data center that uses firewalls and monitors its interactions, moving to a server managed by the provider reduces the ability of a security team to track the "elements" that interact with their system's different functions.

The controls a company has with its data center, like filtering the inflow of traffic, is something a security team loses. The security of the cloud provider's data center, servers, operating systems and configurations falls on the shoulders of the vendor. The customer of the cloud provider picks up security in applications, code, and data and application-layer configurations, according to PureSec.

The "way or perspective from where and how they see what's doing what" changes drastically and this can call into question the safety of data. With GDPR's May 25 deadline closing in, organizations cannot afford to risk how data is stored, processed and protected.

All security devices are based on protocols that "introspect what's happening on the running workload" but because these workloads are running through a third-party's servers, development teams are required to "bake" additional security capabilities in serverless functions that they would not always need to do with on-premise servers, according to Naor.

One difference is the impact on a functionality between a server and a third-party API after a transition to the cloud. Security teams need to adapt to the potential loss of the "context delivered from an agent that is running inside the function," said Naor.