Serverless and platform-as-a-Service (PaaS) services like AWS Lambda, AWS S3, Google Cloud Functions, Azure App Service, and others are favored among development and product delivery teams because they eliminate many operational burdens and create budget efficiency. Using a serverless or PaaS model for infrastructure delivery also enables faster adoption of new features and capabilities, minus the worry about the underlying hardware or operating environments. While these services provide cost-effective, hyper-scalable infrastructure solutions, they also introduce new challenges for InfoSec and raise questions about security strategies, practices, and tools. To help you answer some of your most pressing questions around serverless and PaaS adoption, we’re providing complimentary access to the Gartner report, “Security Considerations and Best Practices for Securing Serverless PaaS.”1
In the report, Gartner provides an overview of serverless and PaaS usage and how it affects cybersecurity, along with in-depth analysis of best practices for securing serverless PaaS that you can use to address security challenges in these complex, fast-moving environments. This blog highlights some key points from the report and provides our opinions as to why Gartner included each.
According to Gartner’s research, 90% of enterprises using IaaS are now using some serverless PaaS in production, up from 10% at YE17. The security of these systems relies heavily on best-practice configurations. But misconfiguration is common in the cloud, particularly among serverless and PaaS implementations. Gartner also states that through 2022, 80% of successful attacks on serverless and PaaS will have a root cause of misconfiguration or the use of known vulnerable code due to immature tools and processes. In our experience, we’ve seen that the adoption of best practices for securing serverless and PaaS is an emerging or standard requirement for most enterprises.
Development teams—particularly those using continuous delivery and DevOps models—have elevated levels of autonomy over infrastructure decision-making, adoption, and configuration management. AWS, GCP, Azure and other cloud service providers are all offering serverless and PaaS services for compute, database, object storage, networking, containerization, and more, and project teams are capitalizing on the efficiency, speed, and scalability of these offerings. Securing these PaaS frameworks requires a shift in tools, processes, and expectations so that InfoSec keeps pace with rapidly changing, increasingly complex environments.
The Gartner report provides an analysis of serverless and PaaS adoption trends to prepare you for whatever environments you’re challenged to secure next.
According to Gartner, the bottom line is that “serverless security will only be achieved using a combination of processes, technologies and culture changes, starting in development and extending into production.1” To us, this means InfoSec has the opportunity to align its operations with these transformations and make them into force multipliers for security and compliance.
By automating security practices, including inventory, configuration assessment, and threat and vulnerability management for serverless and PaaS services, you can accelerate and improve security without becoming a bottleneck to the asset owners who rely on those services to move the business forward. Through automation of the security best practices recommended by Gartner, you can shift the culture to one of continuous collaboration, improvement, and compliance from development through deployment into production.
The Gartner report goes into detail about many best practices that can be put into place to ensure serverless and PaaS security. Here are a few highlights and why we think they’re important for all organizations with serverless and PaaS installations.
The greatest risk to serverless and PaaS services stems from misconfiguration. But you can’t know how your services are configured if you don’t know what services you have running. In the report, Gartner states, “CSPM tools are designed to identify unknown or excessive risk in the entire cloud configuration, including VMs, serverless, storage, networking and PaaS.1”
We believe that starting with cloud security posture management (CSPM) is essential for any organization working with serverless and PaaS assets. A CSPM tool that automates discovery, inventory, and assessment across all your cloud services, including serverless and PaaS, helps keep you ahead of these dynamic environments so that you can avoid security gaps and blind spots.
Gartner asserts that “A resilient serverless architecture must assume that, despite our best efforts, perfect prevention is impossible and that inevitably an attack will get through.1” We believe comprehensive security event monitoring is imperative for securing serverless and PaaS workloads against unauthorized access, unintended behaviors, and compromise.
The faster you can detect and respond to potential security threats and attacks, the more secure your overall environment. Due to the abstraction of the underlying architecture of serverless and PaaS, you need to have the right tools in place that can integrate seamlessly with cloud provider services for the purposes of configuration monitoring and drift detection, log-based event monitoring, event detection, and security event management. By exploring the suggestions in the Gartner report, you can gain clarity around the types of tools and cloud security platforms that will best provide these critical capabilities.
Vulnerabilities, when not remediated, offer an easy attack vector into your cloud assets, including your serverless functions and PaaS services. The Gartner report states, “Because the OS and application platform are under the control of the cloud provider, we must anticipate that attackers will shift their attack focus to vulnerabilities in configuration, the serverless code and the software supply chain to launch successful attacks.1”
By reading the report, you’ll gain insight into several different facets of vulnerability management and mitigation, including:
Weak authentication, overly permissive credentials, and misused administrative user accounts all provide would-be attackers a gateway into your serverless and PaaS environments. Gartner covers the importance of credentials monitoring in serverless and PaaS environments and offers best practices for enforcing policies and rules to keep your cloud accounts safe. Following these practices helps you close security gaps both at the service configuration and custom code levels.
When using serverless and PaaS resources, much of the network is abstracted from view. “Security controls that depend on fixed IP addresses, static hostnames or in-line third-party network security virtual appliances won’t work for serverless.1” The report goes into detail around network security strategies for serverless and PaaS. It also discusses how networking best practices for serverless and PaaS environments improve overall security posture, including:
In the DevOps environment, automation is the primary driver for collaboration and communication. Automating and integrating security into DevOps—or DevSecOps—is a strategy founded in a secure cloud-native application mindset that creates resilient, secure code from the first build through production release.
In the report, Gartner includes an in-depth discussion on the strategic approach to DevSecOps known as continuous adaptive risk and trust assessment (CARTA). Through this approach, cloud-native application security becomes a continuous set of intertwined processes with a focus on identifying, assessing, prioritizing, and adapting to areas of risk in cloud-native applications, infrastructure, and configuration. By following the comprehensive best practices detailed in Gartner’s report, you can move your organization toward a secure serverless foundation.
Our added perspective is that automation leads to greater and more reliable communication between DevOps and InfoSec. While DevSecOps is appealing to many, the idea is still aspirational for many organizations—but that doesn’t mean you can’t start moving toward a unified approach to DevOps and Security integration by laying in security automation.
In a fully functional DevSecOps environment, information security acts as an information broker, advisor, and subject matter expert in support of DevOps delivery. Through automation, information security can communicate with DevOps on an ongoing basis, ensuring they are working from the most up-to-date policies, rules, known vulnerabilities, threat detection data, and more. And in return, DevOps integrates security automation directly into their existing workflows across the CICD pipeline. The free flow of information between the teams becomes an unbiased and trusted communication source that accelerates the delivery of secure code, accelerates the ability to fix issues as they arise, and leads to the organization-wide cloud-native application security mindset referenced by Gartner in the report.
Reading the Gartner report will bring you closer to delivering consistent workload protection across all your cloud resources, including your serverless and PaaS services. “Cloud-native applications will be built from a combination of VMs, containers, serverless PaaS, and non-serverless PaaS services to deliver the desired IT-enabled business capability1.” With a focus on what you can control, including the implementation of best practices for security compliance and workload protection, you can unify your security strategy and tools across your organization, achieve DevOps security automation, and change your culture to one of continual security improvement.
Read our Blog “Serverless and PaaS Security with CloudPassage Halo” to understand how CloudPassage secures Serverless and PaaS.
1. Gartner, Security Considerations and Best Practices for Securing Serverless PaaS, Refreshed 4 March 2020, Published 4 September 2018, Neil MacDonald