Serverless and PaaS Security with CloudPassage Halo
In our previous blog, we introduced the Gartner report “Security Considerations and Best Practices for Securing Serverless PaaS”1 which discusses the challenges security teams face securing serverless and PaaS services, along with the best practices Gartner recommends to address those challenges. This post explores how CloudPassage Halo unifies and automates security and compliance to provide a single-platform solution for serverless and PaaS security. You’ll also discover how Halo offers the same levels of control and automation whether you’re securing IaaS, serverless, PaaS, or containers across any public, hybrid, or multi-cloud environment.
As cloud provider services mature, they are continually adding serverless and PaaS options that offer highly scalable and robust options for compute, database, object storage, runtime, containerization, and more. Development and product delivery teams have moved to serverless frameworks for their promise of rapid adoption, minimal operational burden, and cost-effectiveness at any scale. For even faster feature adoption and less operational overhead, organizations are now employing Platform-as-a-Service (PaaS) installations as well.
The Challenges of Serverless and PaaS Security
In traditional data center environments, every aspect of infrastructure is owned and accessible, allowing for total control over all aspects of information security. In IaaS environments, the shared responsibility model for security offloads some of these aspects to the infrastructure provider, including virtualization and physical host, networking, and datacenter security.
The platform as a service (PaaS) model takes the abstraction of security responsibilities a step further, with the PaaS provider addressing configuration of infrastructure platforms like DNS, database, message queues, and more. In the PaaS model, the user’s configuration requirements are restricted in scope compared to the IaaS model. There are no operating systems or platform software components to configure, since these are functions of the PaaS provider. The PaaS control plane provides the extent of configuration options available to the user.
With resource configuration limited to the control plane, security becomes a matter of best-practice configuration. Security and compliance teams responsible for PaaS environments often do not have the same level of visibility into PaaS resource configurations, which is exacerbated by the speed with which PaaS services can be instantiated and changed, usually without traditional change control. Given that misconfiguration is the primary security concern with serverless and PaaS resources, automation that can validate PaaS configuration security at the speed and scale of cloud is an enterprise-wide imperative.
Halo Provides Best-Practice Serverless and PaaS Security
Meeting challenges for serverless and PaaS security means rethinking your approach to security, including the tools you use. Legacy data center tools—and even cloud-specific point solutions—usually fall short in their ability to protect complex networks of serverless and PaaS resources. Legacy solutions lack the features necessary to implement security at the control plane, and point products form a complex tangle of features that are bolted on and stitched together. The resulting gaps and blind spots, which are often found the hard way, can lead to costly front-page breaches.
Halo provides best-practice serverless and PaaS security in two ways:
As an integrated service that provides agentless cloud security for common serverless and PaaS services offered by AWS, Azure, and GCP
Through a comprehensive API that provides the ability to implement agentless security for cloud-based PaaS services and resources
Halo enables you to automate the process of quickly identifying and closing configuration weaknesses and ensuring best-practice configuration for all cloud assets, including serverless and PaaS.
With Halo, you can implement the Gartner report serverless and PaaS best practices for your assets by:
Achieving a cloud-native mindset through automation
Laying the foundation for secure serverless and PaaS
Enabling security in DevOps through automation
Achieve a Secure Cloud-Native Mindest
Serverless and PaaS adoption challenges organizations to rethink asset ownership, roles, responsibilities, and culture. Automation of security best practices can cut through much of the confusion and enforce compliance no matter how fast the environment changes or moves. Gartner states, “Security and risk professionals should focus on end-to-end visibility, compliance and protection of workloads across all the ways that cloud-native services will be interconnected.1” This includes serverless and PaaS, along with IaaS, virtualized environments, workloads, containers, and more.
Halo offers a single security platform across all environments, regardless of form factor, while also providing deep integration capabilities through a comprehensive API. With consistent security that encompasses all assets, your organizational culture can shift toward a secure cloud-native mindset that enables automated secure, compliant application delivery.
Lay the Foundation for Serverless and PaaS Security
The Gartner report provides best-practice patterns that “provide the secure foundation on which serverless code will be developed and placed into production.1“CloudPassage Halo eliminates point solutions and replaces legacy data center security solutions with a single, unified cloud security platform that provides security for all assets, including serverless and PaaS. Halo can be used to address specific best practices detailed in the Gartner report that, when followed, lay the groundwork for a secure serverless and PaaS development environment, including:
Automated asset inventory and interrogation
By automating asset inventory and interrogation across your cloud environments, you can stay on top of new and changing resources, including serverless and PaaS. This reduces the chance of security gaps and blind spots while providing rapid, real-time response capabilities for issue remediation.
Continuous compliance management
With an automated, unified platform, compliance becomes a matter of continuous improvement rather than an eleventh-hour fire drill before the audit. Compliance with standards and best practices becomes a baked-in—not bolted on—part of serverless and PaaS configuration, operation, and administration, and automated feedback allows for real-time remediation and compliance monitoring so that issues get handled with maximum efficiency.
Enable Security in DevOps Through Automation
In their report, Gartner discusses the concept of secure DevOps. This can include a spectrum of approaches, from embedding security responsibilities into a DevOps team to full-blown DevSecOps.
Once you have consistent security across all infrastructure resources—including PaaS and serverless—you have paved the road for integrating security with DevOps. However, DevOps is all about speed. They’re not going to adopt security automation unless it fits seamlessly into their existing workflows and works at the same speed that they’re accustomed to for rapid, CICD delivery. Gartner states, “All the vulnerability and configuration scanning above should be implemented automatically and transparently to the developer. This will be achieved by using APIs into security scanning tools and by native integration with the developer’s continuous integration/continuous delivery (CI/CD) pipeline.1”
Halo security automation integrates seamlessly with common DevOps tools, including Jenkins, JFrog Artifactory, Puppet, Chef, and more. With Halo, you can:
“Shift left” to automate vulnerability and compliance scanning as part of every development cycle
Accelerate deployment of secure code coming out of the CICD pipeline
Extend security response into development and operations by automating alerts and threat detection and putting notifications in front of system owners using existing workflows and DevOps tools
Simplify Serverless and PaaS Security with Halo
Halo replaces complex, unmanageable suites of tools and simplifies secure serverless operations through a single, integrated platform. With Halo, misconfigurations, vulnerabilities, and potential threats are caught and communicated back to asset owners in real time. Regardless of who owns your serverless and PaaS assets, they’ll know immediately when their assets are out of compliance, and they’ll receive best-practice remediation advice to fix the issue. Additionally, security can easily monitor ongoing remediation efforts. With closed-loop, automated communications, you can achieve continuous compliance that keeps up with dynamic cloud environments
If you haven’t had a chance to read the Gartner report, “Security Considerations and Best Practices for Securing PaaS,” we encourage you to download it today.
If you’re already using serverless and PaaS resources in your cloud environments, you can start checking for blind spots and misconfigurations with the free edition of CloudPassage Halo. With full access to the Halo Cloud Secure cloud security posture management (CSPM) service offered at no cost, you can be fully operational in an hour or less. Sign up now to gain deep insight into your cloud security and compliance posture and to start your journey to fully automated cloud security and a secure serverless and PaaS environment.
1. Gartner, Security Considerations and Best Practices for Securing Serverless PaaS, Refreshed 4 March 2020, Published 4 September 2018, Neil MacDonald
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.