{"id":103081,"date":"2019-11-05T06:00:51","date_gmt":"2019-11-05T14:00:51","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=103081"},"modified":"2019-11-22T08:10:11","modified_gmt":"2019-11-22T16:10:11","slug":"cloud-serverless-security","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2019\/11\/cloud-serverless-security\/","title":{"rendered":"A Firewall Admin's Introduction to Serverless Security"},"content":{"rendered":"

Ron Harnik, Senior Product Marketing Manager, Serverless Security<\/span><\/p>\n

One of the most interesting things about working at Palo Alto Networks is getting to see pretty much every type of enterprise cybersecurity under the sun deployed in real-life situations. From Next-Generation Firewalls protecting network segments in data centers to WildFire preventing zero-day exploits, and from cloud security with Prisma Cloud to the cutting edge of endpoint protection with Cortex XDR, we encounter and learn from it all. Serverless computing is the latest in a long line of cloud technologies, and many organizations are still wrapping their heads around it. I want to share my view from the front line to help security teams who are taking their first steps in the serverless world.\u00a0<\/span><\/p>\n

I come from a networking background, and I eventually made my way into the world of cloud and stayed there. It\u2019s easy to live in the cloud bubble and forget about everything else, but the more I talk with customers and learn about their use-cases, the more I see just how versatile today\u2019s enterprise security teams have to be.\u00a0<\/span><\/p>\n

Serverless<\/span><\/a> allows organizations to run applications without having to worry about infrastructure, networking, or operating systems. Everything is abstracted away up until the application code itself. It\u2019s the latest in a long line of cloud technologies that enable faster, more scalable and cheaper application development and deployment. Just as with any other technology, your organization wants to reap the benefits quickly and looks to you to make sure it\u2019s safe to do so. So let\u2019s take a high-level look at serverless and the key points you should consider when trying to secure it.\u00a0<\/span><\/p>\n

 <\/p>\n

My Company Wants to Use Serverless. Now What?<\/span><\/h3>\n

Just like any other advancement in software development technology, serverless comes with its own set of strengths and weaknesses that we have to consider. One key advantage is that with serverless, your security starting point is actually quite strong since all concerns about server and network security are abstracted away by the cloud provider.<\/span><\/p>\n

To get into more detail about how serverless computing works, the term \u201cserverless\u201d generally refers to an operational model in which applications rely on managed services that abstract away the need to manage, patch and secure infrastructure and virtual machines. Serverless applications rely on a combination of managed cloud services and function-as-a-service (FaaS). FaaS products like AWS Lambda or Google Cloud Functions allow you to host pieces of code directly on the cloud provider and use a variety of events to trigger that code.<\/span><\/p>\n

Since joining Palo Alto Networks through the acquisition of PureSec, the serverless security platform, I have had the chance to talk to security teams from large enterprises who are now expected to secure virtual machines, containers and serverless workloads, as well as internal corporate networks. They\u2019re trying to figure out which steps they should take to address serverless security, and several questions come up frequently.<\/span><\/p>\n

 <\/p>\n

Are My Current Security Solutions Irrelevant?<\/span><\/h3>\n

Even when adoption happens rapidly, it doesn\u2019t happen overnight. Especially at large enterprises, the environments that host your business applications are going to remain heterogenous for a long while. This means that a layered approach to security is still the best course of action.\u00a0<\/span><\/p>\n

If we apply the \u201c<\/span>Swiss Cheese Model<\/span><\/a>\u201d to cloud security, every technology, product or service we use is a slice of swiss cheese with holes (vulnerabilities) in it. Multiple security controls help us make sure those holes don\u2019t align, preventing openings that allow attackers to be successful.\u00a0<\/span><\/p>\n

The challenge of securing heterogeneous environments is that each type of workload (virtual machines, containers, serverless) is architected differently and requires a unique method of security to gain full coverage. For example, you might need to have a virtualized firewall protecting the perimeter of your cloud networks, a cloud workload protection platform defending each workload and a cloud security posture management solution for overall visibility and governance.\u00a0<\/span><\/p>\n

Your current security solutions will likely remain relevant for some time, but you may need to combine them with new ones for more complete coverage.\u00a0<\/span><\/p>\n

 <\/p>\n

So, How Is Serverless Security Different?<\/span><\/h3>\n

With serverless, we have no control over the infrastructure or network our application runs on. This means that we can\u2019t rely on server-based security or network filtering. It\u2019s also important to acknowledge that serverless functions can be triggered by hundreds of event sources. Each event source might send data in a different format. These events can include IoT triggers, API calls and other cloud services. While we can definitely route an HTTP request through a firewall, we have no control over an S3 bucket change triggering a Lambda function.\u00a0<\/span><\/p>\n

Considering the new attack vectors serverless introduces, like event-injection attacks, it becomes clear that serverless workloads require their own flavor of security.\u00a0<\/span><\/p>\n

 <\/p>\n

Fundamentals of Serverless Security<\/span><\/h3>\n

With no networks or servers to protect, serverless security becomes focused on ensuring code integrity, tight permissions and application behavior analysis. The main tenets of serverless security are:<\/span><\/p>\n

    \n
  • Access and permissions: Maintain least-privileged access for serverless functions and other services. For example, if an AWS Lambda function needs to access a DynamoDB table, make sure it can only perform the specific action the business logic requires.<\/span><\/b><\/li>\n<\/ul>\n
      \n
    • Vulnerability scanning:<\/strong> Ensure code and infrastructure-as-code template integrity by regularly scanning for vulnerable third-party dependencies, configuration errors and over-permissive roles.<\/span><\/li>\n<\/ul>\n
        \n
      • Runtime protection:<\/strong> Use runtime protection to detect malicious event inputs and anomalous function behavior, and limit as necessary each function\u2019s ability to access files, hosts, the internet and spawn child processes.<\/span><\/li>\n<\/ul>\n

         <\/p>\n","protected":false},"excerpt":{"rendered":"

        Enterprise security teams taking their first steps into the serverless world can benefit from learning the fundamentals of serverless security.<\/p>\n","protected":false},"author":663,"featured_media":103135,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6768],"tags":[6880],"coauthors":[6879],"class_list":["post-103081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-cloud","tag-serverless-security"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2019\/11\/Prisma-social_blog-600x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=103081"}],"version-history":[{"count":4,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103081\/revisions"}],"predecessor-version":[{"id":103783,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/103081\/revisions\/103783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/103135"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=103081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=103081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=103081"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=103081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}