Feature image via Pixabay
Serverless functions, which account for around half of the workloads today at cloud-first companies, have become a popular means of deploying applications largely because serverless minimizes the number of complexities that teams need to think about. By eliminating the need to configure host servers, serverless functions simplify IT operations.
That doesn’t mean, however, that serverless functions also simplify security. On the contrary, a variety of security challenges and risks can arise within serverless computing environments. That’s why it’s critical to have a plan for protecting serverless functions and the architecture that supports them.
This article walks through the main security risks that affect serverless functions, then discusses key principles for managing those risks.
Serverless Functions Security Risks
The main difference between serverless computing and traditional computing is that serverless frees development and IT operations teams from having to configure and manage the underlying server environment in which applications run.
Beyond that difference, however, serverless functions work in a similar way to conventional application deployment technologies like VMs and containers, and they are subject to the same types of risks.
- Malware that exists within serverless functions.
- Insecure access controls to govern which resources each serverless function can access, as well as who can deploy, stop and modify serverless functions.
- Insecure third-party dependencies that serverless functions call when they run.
- Insecure management of sensitive data or secrets that serverless functions produce or access.
In addition, serverless functions are at risk of a special type of attack that is less prevalent with other types of deployment technologies.
- Financial resource exhaustion happens when attackers force serverless functions to execute repeatedly. Because serverless functions execute on demand, and because cloud providers charge relatively high fees for serverless execution time, financial resource exhaustion attacks allow malicious parties to run up their targets’ cloud bills. Most other types of hosting technologies aren’t subject to this type of attack because they use different pricing models.
Three Core Principles for Protecting Serverless Functions
The serverless security risks described above can be mitigated on a function-by-function basis using various tools, like configuration scanners that check functions for configuration oversights. Teams can and should take advantage of these tools to protect their functions.
However, at a deeper level, security should be baked into serverless functions themselves. In other words, teams should take steps to ensure that their overall approach to serverless computing is as secure as possible. This strategy builds in another layer of protection that extends beyond securing individual functions.
Here are three ways to integrate security into your serverless functions.
1. Ensure Your Serverless Strategy Includes Security by Design
Serverless functions are easy to deploy, and it can be tempting to turn to them as a simple, cost-effective means of running whatever applications you need to run.
But that doesn’t mean that serverless functions are the most secure solution for deploying every workload. Some types of applications, such as those that need to manage highly sensitive data in a complex way or that require extensive third-party dependencies, are difficult to secure, which gives teams less control over and visibility into the hosting environment.
The takeaway here is that you shouldn’t use serverless functions to deploy workloads that require a level of security control and observability that is difficult to achieve using serverless functions. Sometimes, serverless is just not the way to go, despite its simplicity.
2. Be Minimalist
Serverless functions are designed to make it easy to run small, discrete pieces of code on an on-demand basis. However, it can be easy to forget this principle and instead treat serverless functions as a means of deploying any type of application.
Doing so is a mistake not only because it typically means you won’t take advantage of the core benefits of serverless functions, but also because the more code you run inside each function, the higher the risk that you’ll misconfigure something or introduce insecure dependencies.
A better practice is to take a minimalist approach to serverless computing. Strive to reduce the code inside each function to the bare minimum. In addition to helping to save money and improve performance, this strategy will improve overall serverless security.
3. Isolate Functions
Although it’s common to have serverless functions trigger each other to execute workflows that require multiple functions, teams should strive to isolate each function to the extent possible.
Isolation between functions means applying a “zero trust” approach to function configuration. by default, no function should blindly trust another function or consider data received from it to be secure. In addition, engineers should configure tight perimeters around each function by strictly limiting which resources functions can access.
Finally, where possible, teams should avoid having functions invoke each other directly, since that approach opens the door to issues like financial exhaustion attacks in the event that one function is compromised by hackers. Instead, manage function execution using an external control plane rather than relying on the logic that is baked into individual functions.
Conclusion: Securing Serverless Functions and Technologies
In short, serverless functions are a powerful technology, but they have their limitations, not least when it comes to security. Before embracing serverless, it’s critical to understand the potential security risks and take measures to brick defenses into your overall serverless strategy.
For more tips on securing serverless functions, along with data about how companies are approaching serverless security today, check out the free “Serverless Technology Trends Report 2022,” developed by Techstrong Research in conjunction with Orca Security.