Serverless Protection: What is it and why do you need it?

Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. “Serverless” is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers. However, developers of serverless applications are not concerned with capacity planning, configuration, management, maintenance, fault tolerance, or scaling of containers, VMs, or physical servers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocated to the app. Pricing is based on the actual resources consumed by an application.

Serverless protection (also called serverless security) is a different way of thinking about how organizations can implement security controls. Instead of just building security around components using Next Generation Firewalls, serverless protection involves organizations additionally building security around the functions within applications hosted by third party cloud providers.

Serverless protection can include using serverless functions to authenticate and authorize user access, encrypt data in transit and at rest, implementing security controls to detect and respond to potential threats, and protect an organization’s resources, such as data and applications, from unauthorized access or malicious attacks.

Serverless protection typicaclly uses serverless functions, such as AWS Lambda, Azure Functions, or Cloud Functions to run security-related tasks. These functions can be triggered by specific events, such as a user attempting to access a resource. They can perform actions such as authenticating the user’s identity, checking compliance with security policies, and encrypting sensitive data. Serverless protection can also be used to implement a Web Application Firewall (WAF) to protect web applications from common vulnerabilities such as SQL injection, cross-site scripting (XSS), and more. Further, it can be used to protect against Distributed Denial of Service (DDoS) attacks by automatically scaling to handle
increased traffic and blocking malicious traffic. Some of the capabilities of serverless protection include the following:

  • Authenticate users and authorize their access to specific resources: This can include using multi-factor authentication or integrating with external identity providers.
  • Automatically encrypt data in transit and at rest: This ensures that the data will still be protected even if a security breach occurs.
  • Monitor for potential security threats and respond to them automatically: This can include analyzing logs for signs of suspicious activity, blocking malicious traffic, and alerting security teams to potential issues.
  • Event-driven / only run when needed: This makes it cost-effective as the organization only pays for the compute resources used rather than maintaining dedicated servers for security tasks.
  • Flexibility: Serverless functions can be written in various programming languages and easily integrated with other services and tools, making it easy to customize security solutions to meet specific needs.
  • Resource Isolation: Serverless architecture allows for more granular access controls and better isolation of resources.

Figure 1: Comparison of Supported Programming Languages (Source: TechTarget)

 

Importance of Serverless Protection

As more organizations move their data and applications to the cloud, protecting them from unauthorized access and malicious attacks becomes increasingly essential. Many of the cloud solution providers, like listed above provide serverless security services or add-ons intended to help organizations secure their cloud components and services.

Many industries are subject to strict regulations around data security, such as HIPAA for healthcare organizations and PCIDSS for organizations that handle credit card transactions. Serverless protection can help organizations meet these compliance requirements by providing services to secure sensitive data and access tracking and monitoring services.

Serverless functions are event-driven and only run when needed; this can make this type of infrastructure more cost-effective, as the organization only pays for the compute resources rather than maintaining dedicated servers for their environments and security functions.

Challenges with Serverless Protection

Serverless protection can involve multiple layers of security, such as authentication, authorization, encryption, and monitoring, which can be complex to implement and manage.

Since serverless protection relies on third-party services, organizations may have limited control over the underlying infrastructure and depend on the provider’s security controls. Cloud computing providers are constantly updating their platforms, documentation, functionality, and user interfaces. Therefore, organizations that are using these environments, need to stay informed of their providers ever changing recommendations and ensure there is expertise in house to maintain secure controls for the operation and maintenance of these environments. It is also extremely important to ensure the organization has a accurate understanding of their responsibilities for ongoing support and maintenance of serverless environments, and which responsibilities are being maintained by the cloud providers. Compliance certification and responsibility documentation for these providers are published for customers online and updated at least annually. Therefore, organizations need to maintain a process to verify responsibility and compliance obligations have not changed from year to year.

 

Protecting Serverless Applications

Effective serverless protection focuses on ensuring code integrity, tight permissions and behavioral analysis.

  • Access and permissions: Maintain least-privileged access for serverless functions and other services. For example, if an AWS Lambda function needs to access a DynamoDB table, make sure it can only perform the specific action the business logic requires.
  • Secure Code Training: Developers should be training in security best practices throughout the software development life cycle that is specific to the Serverless development architecture.
  • Vulnerability scanning: Ensure code and infrastructure-as-code template integrity by regularly scanning for vulnerable third-party dependencies, configuration errors, and over-permissive roles.
  • Change Management/Separation of Duties: Change management process should be detailed to prevent unauthorized changes or untested updates. Separation of duties will further ensure that decisions and changes are not made by one person.
  • Multi-factor Authorization (MFA): MFA is always recommended for user access and permissions for externally accessible resources.
  • Web Application Firewall (WAF): A WAF should be added for any externally facing (public) applications to help prevent known web application attacks.
  • Runtime protection: Use runtime protection to detect malicious event inputs and anomalous function behavior, and limit as necessary each function’s ability to access files, hosts, the internet and spawn child processes.

 

The Use Cases of Serverless Protection

Serverless computing can be used to help with disaster and recovery planning, replace aging infrastructure needs as well as be used for application or security functions.

Serverless functions can monitor for potential security threats and respond to them automatically. This can include analyzing logs for signs of suspicious activity, blocking malicious traffic, and alerting security teams to potential issues.

Cloud computing providers have established partnerships with a variety of solution providers, so their services can be used to secure and monitor cloud computing environments. These days there are serverless solutions for securing your host, container, and functions across the application lifecycle, like Prisma Cloud.

 

Figure 2: Examples of Security Threats Addressed by Serverless Protection (Source: Palo Alto Networks)

 

Conclusion

Serverless protection effectively secures an organization’s resources by using serverless functions to run security-related tasks. It provides a cost-effective, scalable, and flexible way to secure an organization’s data and applications, meet compliance requirements, and ensure business continuity. However, going serverless also means that your resources need to be prepared to support the serverless protections used based on vendor recommendations and ever-changing platform landscape.

 

 

HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.