Serverless computing, also known as functions-as-a-service (FaaS), is an emerging web application development trend that offers plenty of advantages over traditional cloud-based architecture: lower operational costs, simplified processes, greater flexibility and scalability, and faster deployment.
Developers never have to manage servers, as the vendor automatically runs the code for them. FaaS providers also charge web developers only for the resources they use.
Going serverless fits in the digital agenda of chief information officers worldwide. In the 2018 Deloitte global CIO survey, 69% of IT executives identified “process automation and transformation” as their top strategic priority.
However, no matter how beneficial it is, serverless computing is just as vulnerable to security threats as cloud-based servers—but in different ways.
Security Issues and Challenges of Going Serverless
Before we go into the nitty-gritty of serverless security issues, let's acknowledge the fact that FaaS reduces risks involving servers, such as a distributed-denial-of-service (DDoS) attack. It also eliminates the need for developers to manage operating system patches.
On the flip side, serverless raises a new set of security issues that enable hackers to perform malicious actions on applications.
If your company has migrated to serverless architecture (or is planning to do so), sit down as a team to address its common security implications.
All serverless functions are stateless, which means sensitive data—including user sessions—are transmitted and stored in an external location. This setup increases the risk of data being leaked when it's moved outside the server.
"It is really easy to tamper with the data one or the other way. Most of the time, people rely on DNS [Domain Name System] for service authentication which isn’t the best practice," notes Rohit Akiwatkar, technology consultant at Simform, on his blog post about serverless security analysis.
In a serverless service, there's no dedicated physical server for a user. All functions are running on a single server that's shared among multiple customers. If improperly configured, multi-tenant servers could allow a user to access sensitive data of another user.
Reliance on Third-Party FaaS Providers
Serverless functions run on the infrastructure of a third-party service. Because vendors manage the entire backend process, assessing their security can be challenging. If your vendor's cloud computing service gets hacked or happens to be malicious, it can lead to significant damage, especially for applications that handle personal or confidential data.
Functions also rely heavily on third-party libraries and components. This dependence adds to the security risk if one of the components has a known or unknown vulnerability.
Still Prone to DDoS Attacks
Serverless computing minimizes DDoS. But that doesn't mean it can eliminate the odds of an attack altogether. Serverless platforms are not infinitely scalable. AWS Lambda, for instance, has a resource limit of concurrent function executions ranging from 500 to 3,000, depending on location. DDoS attacks have resulted in server downtime of numerous websites across the United States. Affected websites included Netflix and the New York Times, both of which use serverless architecture. Imagine how much more online shopping sites would suffer from DDoS.
“A DDoS attack should be taken as a warning and a wake-up call for e-commerce sellers," says Jake Rheude, Vice President of Marketing at Red Stag Fulfillment.
"If [a DDoS attack] hits on Cyber Monday or any of the peak e-commerce sales days between Thanksgiving and mid-December, it could be a disaster," he adds.
7 Best Practices to Secure Serverless Applications
Source: Gerd Altmann from Pixabay
Are you ready to prevent a malicious attack? It's all about having serverless security controls and practices in place within your organization. Here are the different ways to boost your serverless security, as recommended by IT experts.
#1. Encrypt Sensitive Data
Serverless or not, the architecture you're using will still benefit a lot from encryption of data in transit as well as data at rest in session storage. It's your best line of protection against intruders trying to access data. To encrypt data, Akiwatkar suggests using TLS with PFS (Transport Layer Security with Perfect Forward Secrecy) or HTTP Strict Transport Security. If you're on AWS Lambda platform, data can be encrypted using AWS Key Management Service (KMS) and its encryption helpers. Just don't store secrets—including API keys and database access credentials—in plaintext.
#2. Limit Function Access
A common mistake IT professionals make is assigning generic permissions—and giving more than necessary—to functions. This increases the risk of a security breach.
In serverless security, using the "principle of least privilege" is encouraged. It entails giving the absolute minimum permissions by default and then increasing them manually as needed.
#3. Monitor Function Activities
Continuous tracking of function layers allows you to spot any malicious activity, outdated function, incorrect permissions, abnormal function behavior, and strange traffic spikes. This way, you can nip security threats in the bud.
Detailed logging with the help of tools for security monitoring is the key. Serverless monitoring tools are available from your FaaS provider and third-party solutions.
#4. Protect Access Keys
Source: typographyimages from Pixabay
Keep your app's secrets (encryption keys, API keys, database credentials, etc.) safe from intruders by having different keys for different projects or components. Should a key become compromised, the extent of damage gets restricted only to that key. Likewise, it helps to have a separate key for each developer. In case a disgruntled employee tries to sabotage the company through hacking, it will be easy to block that person's access. Moreover, to prevent exposure of sensitive data, it's crucial to rotate the keys regularly so that even when your website is hacked, access to scammers is cut off.
#5. Take Advantage of IoT Botnet Solutions
Consider using security software designed specifically to kill Internet of Things (IoT) botnets and prevent a DDoS attack on serverless architecture. Comprehensive third-party platforms such as a virtual private network (VPN) do a better job than a serverless provider's built-in security features at defending IoT devices against botnets.
#6. Leverage API Gateways
Using an API gateway as a security buffer before exposing cloud functions is another effective way to protect your serverless application against DDoS attacks. When deployed functions are exposed, hackers may access them over a randomly generated HTTP endpoint. An API gateway prevents unauthorized access by managing authentication and authorization. The gateway validates every request to a serverless application and rejects any unauthenticated or unauthorized requests.
To implement this cybersecurity best practice, your serverless platform should have good integration with an API gateway.
#7. Use Third-Party Security Tools
Source: rawpixel.com from Pexels
Most security features integrated into serverless computing services are rather limited in scope. Typically, they just focus on the platform on which the functions are running. Reinforce your serverless security with third-party tools that add control and visibility—two factors that are crucial for architecture protection against breaches.
Conclusion: The Future of Serverless Security
Being a fairly new technology, serverless computing still has a long way to go in terms of security. Over time, we can expect enhanced features and improved monitoring and testing tools for serverless applications to develop.
But for now, let's make do with what we have. The recommended serverless security practices discussed above should give you a head-start.
About the Author:
Aaron Chichioco is the content editorial manager of designdoxa.com. His expertise includes not only limited to the topics about Web/mobile design and development, but digital marketing, branding and eCommerce Strategies as well. You can follow Aaron on twitter at @Aaron_Chichioco