* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/)
* A Firewall Admin's Introd...

# A Firewall Admin's Introduction to Serverless Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-serverless-security%2F)  
[](https://twitter.com/share?text=A+Firewall+Admin%27s+Introduction+to+Serverless+Security&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-serverless-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-serverless-security%2F&title=A+Firewall+Admin%27s+Introduction+to+Serverless+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2019/11/cloud-serverless-security/&ts=markdown)  
\[\](mailto:?subject=A Firewall Admin's Introduction to Serverless Security)  
Link copied  
By [Ron Harnik](https://www.paloaltonetworks.com/blog/author/ron-harnik/?ts=markdown "Posts by Ron Harnik")  
Nov 05, 2019  
5 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Serverless Security](https://www.paloaltonetworks.com/blog/tag/serverless-security/?ts=markdown)

Ron Harnik, Senior Product Marketing Manager, Serverless Security

One of the most interesting things about working at Palo Alto Networks is getting to see pretty much every type of enterprise cybersecurity under the sun deployed in real-life situations. From Next-Generation Firewalls protecting network segments in data centers to WildFire preventing zero-day exploits, and from cloud security with Prisma Cloud to the cutting edge of endpoint protection with Cortex XDR, we encounter and learn from it all. Serverless computing is the latest in a long line of cloud technologies, and many organizations are still wrapping their heads around it. I want to share my view from the front line to help security teams who are taking their first steps in the serverless world.

I come from a networking background, and I eventually made my way into the world of cloud and stayed there. It's easy to live in the cloud bubble and forget about everything else, but the more I talk with customers and learn about their use-cases, the more I see just how versatile today's enterprise security teams have to be.

[Serverless](https://www.paloaltonetworks.com/cyberpedia/what-is-serverless-security?ts=markdown) allows organizations to run applications without having to worry about infrastructure, networking, or operating systems. Everything is abstracted away up until the application code itself. It's the latest in a long line of cloud technologies that enable faster, more scalable and cheaper application development and deployment. Just as with any other technology, your organization wants to reap the benefits quickly and looks to you to make sure it's safe to do so. So let's take a high-level look at serverless and the key points you should consider when trying to secure it.

### My Company Wants to Use Serverless. Now What?

Just like any other advancement in software development technology, serverless comes with its own set of strengths and weaknesses that we have to consider. One key advantage is that with serverless, your security starting point is actually quite strong since all concerns about server and network security are abstracted away by the cloud provider.

To get into more detail about how serverless computing works, the term "serverless" generally refers to an operational model in which applications rely on managed services that abstract away the need to manage, patch and secure infrastructure and virtual machines. Serverless applications rely on a combination of managed cloud services and function-as-a-service (FaaS). FaaS products like AWS Lambda or Google Cloud Functions allow you to host pieces of code directly on the cloud provider and use a variety of events to trigger that code.

Since joining Palo Alto Networks through the acquisition of PureSec, the serverless security platform, I have had the chance to talk to security teams from large enterprises who are now expected to secure virtual machines, containers and serverless workloads, as well as internal corporate networks. They're trying to figure out which steps they should take to address serverless security, and several questions come up frequently.

### Are My Current Security Solutions Irrelevant?

Even when adoption happens rapidly, it doesn't happen overnight. Especially at large enterprises, the environments that host your business applications are going to remain heterogenous for a long while. This means that a layered approach to security is still the best course of action.

If we apply the "[Swiss Cheese Model](https://en.wikipedia.org/wiki/Swiss_cheese_model)" to cloud security, every technology, product or service we use is a slice of swiss cheese with holes (vulnerabilities) in it. Multiple security controls help us make sure those holes don't align, preventing openings that allow attackers to be successful.

The challenge of securing heterogeneous environments is that each type of workload (virtual machines, containers, serverless) is architected differently and requires a unique method of security to gain full coverage. For example, you might need to have a virtualized firewall protecting the perimeter of your cloud networks, a cloud workload protection platform defending each workload and a cloud security posture management solution for overall visibility and governance.

Your current security solutions will likely remain relevant for some time, but you may need to combine them with new ones for more complete coverage.

### So, How Is Serverless Security Different?

With serverless, we have no control over the infrastructure or network our application runs on. This means that we can't rely on server-based security or network filtering. It's also important to acknowledge that serverless functions can be triggered by hundreds of event sources. Each event source might send data in a different format. These events can include IoT triggers, API calls and other cloud services. While we can definitely route an HTTP request through a firewall, we have no control over an S3 bucket change triggering a Lambda function.

Considering the new attack vectors serverless introduces, like event-injection attacks, it becomes clear that serverless workloads require their own flavor of security.

### Fundamentals of Serverless Security

With no networks or servers to protect, serverless security becomes focused on ensuring code integrity, tight permissions and application behavior analysis. The main tenets of serverless security are:

* **Access and permissions: Maintain least-privileged access for serverless functions and other services. For example, if an AWS Lambda function needs to access a DynamoDB table, make sure it can only perform the specific action the business logic requires.**

* **Vulnerability scanning:** Ensure code and infrastructure-as-code template integrity by regularly scanning for vulnerable third-party dependencies, configuration errors and over-permissive roles.

* **Runtime protection:** Use runtime protection to detect malicious event inputs and anomalous function behavior, and limit as necessary each function's ability to access files, hosts, the internet and spawn child processes.

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Securing Serverless Applications with Prisma Cloud](https://www.paloaltonetworks.com/blog/2020/03/cloud-securing-serverless/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Twistlock Is Now Prisma Cloud Compute Edition](https://www.paloaltonetworks.com/blog/2019/11/cloud-prisma-cloud-compute-edition/)

### [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Streamline Risk Management with Context-Based Risk Prioritization](https://www.paloaltonetworks.com/blog/cloud-security/risk-prioritization-remediation/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Top 3 IAM Risks in Your GitHub Organization](https://www.paloaltonetworks.com/blog/cloud-security/prevent-inadequate-iam-github-organization/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### ChatGPT and Checkov: Fix IaC Security Issues Fast](https://www.paloaltonetworks.com/blog/cloud-security/chatgpt-checkov-iac-security/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the 5 Most Common Software Supply Chain Weaknesses](https://www.paloaltonetworks.com/blog/cloud-security/common-software-supply-chain-weaknesses/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language