From the very beginning, public cloud environments like AWS represented a reduced security burden for the companies taking advantage of them. The basic shared responsibility model — still in effect — made it clear that the cloud provider (i.e., the vendor) secures the hardware and software of the cloud itself, while the customer is responsible for the security of their assets within the cloud. Of course, the introduction of any new type of cloud computing tends to have an impact on the specifics of the model, leaving security and operations teams scrambling to understand their new responsibilities in these changing environments.
Workloads, specifically cloud workloads, are the application vehicle powering owned, borrowed and open-source code. There are many different types of workloads, with new options emerging over the years as the data center continues to evolve. The benefits these workloads introduce are typically coupled with new security and logistical challenges. As we saw with the evolution from bare metal into virtual machines (VMs) and then the introduction of microservices and containers, there are always new considerations organizations need to proactively address to effectively secure these dynamic environments before they are compromised.
It’s a problem we’ve seen firsthand as new cloud-native environments arise. Each presents new security challenges and complexities for the businesses that deal with them. Here’s why you need to closely monitor security when it comes to new architectures in the cloud, like serverless, and three ways that developers, ops, and security teams can stay vigilant — no matter how your organization shares security responsibility with your cloud provider.
The Serverless Example
Serverless, or Functions-as-a-Service (FaaS), is the latest way of building, architecting and developing cloud-native applications. The development teams provide the application code as a collection of functions, while the cloud provider takes care of running those functions. This allows developers to focus on coding, while the provider takes care of provisioning, scaling and billing.
The adoption of serverless computing over the past year has increased exponentially. The Cloud Native Computing Foundation (CNCF), an organization including many of the world’s largest public cloud and enterprise software companies and more than 100 innovative startups, recently surveyed over 550 community members to address the current landscape of cloud-native technologies. The survey found that 41% of survey respondents currently use serverless technology, with an additional 28% planning to use it within the next 12-18 months.
The rapid adoption of this new serverless computing raises new questions around who owns the security of applications deployed using serverless frameworks — the customer or cloud provider? As previously mentioned, where the traditional shared security model draws a clear line between the security of the cloud and security of what’s in the cloud, the serverless model shifts some responsibility back to the cloud provider managing the operating system, leaving customers responsible for the applications running in their cloud environment.
This seems like great news for DevOps and security teams alike, as they can concentrate more on building products and applications rather than security, knowing it’s being handled. However, using a serverless architecture means that organizations have new blind spots, simply because they no longer have access to the architecture’s operating system, preventing them from adding firewalls, host-based intrusion prevention or workload protection tools in these workloads.
Because serverless is a relatively new architecture, organizations and cloud providers are still learning how to handle and secure it, and attackers are still learning how to exploit it. This is why it’s vital to secure your serverless infrastructure beyond what the shared responsibility model outlines.
Team Up To Prepare For Overall Workload Security
With the entrance of new computing methods like serverless, the shared responsibility model that worked for traditional workloads continues to become less clear, and security professionals need to be prepared to secure these new workloads. Following the guidance below can help security experts prepare their services to run in serverless clouds securely.
1. Don’t make assumptions about who owns security in your cloud environment. The fact that the modern data center is by nature complex leads to inherent blind spots, creating lack of clear ownership throughout some elements in your data center. Making assumptions about who owns security can leave companies flat-footed when vulnerabilities do arise. Defining rules on who owns security before vulnerabilities appear will prevent becoming a victim and pointing fingers down the line.
2. Ensure complete visibility across all types of workloads in your complex modern data center. Lack of full visibility across all types of different workloads makes securing your overall cloud architecture a difficult-to-solve problem. To avoid vulnerabilities at each level of your data center, customer teams — developers, security and operations teams — must assume their cloud provider is only taking care of the minimum requirement of security measures.
3. Work with your cloud provider to proactively build security into the architecture from the ground up. Security is a joint task between a cloud provider and its customer. Instead of retroactively patching or implementing security measures after an attack or vulnerability is discovered, team up with your cloud provider from the beginning to prevent attacks. This is especially important if there is an attack that exploits a cloud provider from a high level, initiating a breach that affects your entire stack.
Even though serverless is still in relative infancy, it’s here to stay. With new and old workloads emerging and converging, it’s important to understand roles and responsibilities and add security controls from a granular level before unpredicted vulnerabilities arise. The modern data center cannot function effectively without ensured security across all types of architectures — VMs, containers and/or serverless. The traditional shared responsibility model is evolving, and organizations need to keep up by understanding their redefined responsibilities for cloud security, or they will inevitably get left behind.
