Why is Serverless Computing Better?

Organizations shifted to cloud computing to save on the costs and overhead of managing physical infrastructure and its operations. Though managing cloud servers is relatively easier than managing physical servers, some organizations want to eliminate the overhead of cloud server management without losing the benefit of using cloud services. This led to the introduction of serverless computing.

What is Serverless Computing?

Serverless cloud computing, also known as Functions as a Service, is a cloud model where servers are maintained and run by cloud providers, including allocating machine resources, managing, patching, and securing VMs and infrastructure. Some popular serverless frameworks include Azure Functions, AWS Lambda Functions, and Google Cloud Functions. Serverless computing does not mean that cloud services and apps run without servers. Instead, it is said so because customers need not manage these servers. Cloud providers manage all the backed operations, including all server maintenance, and provide cloud services to customers.

The term serverless indicates the shift of responsibilities to cloud providers from customers. This helps customers to avoid operational overhead to a great extent, providing them time to perform other important functions like developing solutions. With the serverless architecture, organizations can achieve infinite & automated scaling, cost savings, and more focused software development.

Serverless computing is sometimes called event-driven computing because a task is performed by executing a simple function using a trigger event. Organizations do not need to have different cloud services unutilized when they do not need them. Through serverless computing, they can leverage on-demand cloud services without having to maintain the underlying cloud infrastructure. For instance, you can use an email function when you need to send an email rather than maintaining a long-running email service.

Benefits of Serverless Computing

As serverless computing involves no infrastructure maintenance, it offers many benefits including, cost savings, and worry-free cloud service usage. A brief description of the benefits offered by serverless computing is given below:

• Reduced costs: Customers will only have to pay for the use of on-demand cloud services and they do not have to pay for unutilized capacity. For example, customers need to only pay for their executions of the functions when they use a serverless platform like AWS Lambda.

• Improved agility: Serverless apps mainly depend on managed services (handled by cloud providers) for things such as authentication and databases, which results in increased agility as developers can focus entirely on business logic and development of applications that will run on Functions as a Service (e.g., AWS Lambda).

• Reduced operational overhead: Since there are no servers to manage, development teams do not have to spend time and effort scaling infrastructure and performing infrastructure-related operations like installing and maintaining agents.

The serverless architecture enables organizations to focus more on the following important aspects:

• Increasing productivity
• Achieving customer satisfaction
• Reducing time to market
• Quality improvements
• Core functionalities of the app
• Development practices

Meanwhile, it makes cloud providers solely responsible for

• Configuring software security and keeping its runtime up to date
• Regularly patching the infrastructure
• Setting up appropriate account management for the infrastructure
• Making sure that only compatible OS and software runtimes are used
• Configuring the infrastructure securely to keep it protected
• Configuring the network connectivity and database securely

Serverless Security

Organizations generally use firewalls and other security tools to protect traditional IT infrastructure. Traditional IT infrastructure enables organizations to inspect network traffic using a firewall, detect and prevent malicious activities using Intrusion Detection/Prevention Solutions (IDS/IPS), and secure running apps using Runtime Application Self-Protection (RASP) solutions.

Serverless cloud computing does not allow customers to use such security tools or server-based protection techniques. Serverless applications are developed using distributed cloud services that function together, for example, an AWS S3 bucket triggers an AWS Lambda Function, which then triggers AWS DynamoDB.  Serverless applications pose security risks due to the absence of the required level of security since the underlying infrastructure is not managed by customers.

In short, the serverless model reduces the overhead of managing infrastructure-related operations but has its own security concerns that must be addressed. What is different in the serverless model? The serverless architecture does not include

• Firewalls or IDS/IPS tools
• Instrumentation agents/protection methods such as key authentication or FTP

Instead of allowing the use of the above security protections, serverless architecture provides security through focusing on permissions, strong code, and behavioral protection.

How Does a Serverless Environment Enhance Security?

A serverless environment can significantly reduce organizations’ attack surfaces. With a serverless environment, organizations need to only take care of the application layer as patching and fixing security loopholes fall under the responsibility of cloud providers. Cloud service providers (CSPs) have expert security professionals who can look after important infrastructure and security operations in a better way.

Serverless computing helps improve security in the following ways:

• CSPs handle OS, patching, and runtime security: Handling OS, patching and runtime security is certainly important for cloud infrastructure hosting apps and services. In serverless app deployment, a major portion of the app stack is managed by CSPs and they offer important services like key management. A large portion of the application stack is managed by cloud providers, which means they will look after all the necessary operations required to ensure the security of serverless operations.

• Ephemeral nature: Due to the ephemeral/stateless nature of serverless computing, attackers cannot easily succeed in compromising the security of serverless apps. Serverless functions like AWS Lambda are run for some time when needed and then terminated. As these functions do not have memory, the risk of long-term attacks is significantly reduced.

• Smaller microservices: Switching to smaller microservices helps ensure more fine-grained Identity and Access Management and provides the ability to create appropriate, minimal roles for every function. It’s easier to apply security policies to smaller microservices in order to reduce the attack surface.

Risks and Challenges of Serverless Security

Though cloud providers implement sufficient security measures, serverless systems are not immune to threats and risks. Some reports have highlighted the most common security issues faced by modern-day serverless systems, which are discussed below:

Security misconfiguration

Security misconfiguration is the top security risk. Developers might directly enter access keys, passwords, and tokens into the function to access different resources, which increases the risk of exposing these security secrets.

Vendor security

As all functions are executed on the cloud infrastructure and customers do not know if the vendor’s cloud infrastructure is secure, it might appear as a security risk.

Encryption

Encryption secures the information exchanged via connections between serverless functions and other resources. Serverless functions interact with databases and other important resources. Data can be leaked if the connection between serverless functions and other resources is not encrypted. Similarly, storing such secrets in unencrypted form is risky.

Injection attacks

Injection attacks refer to the injection of unauthorized content into an application flow. Event-driven injection attacks are quite common in the serverless model. These attacks are launched when serverless functions call an event to execute.  

Multi-tenancy

In a serverless service, functions mostly run on the shared infrastructure where codes of multiple customers run. This increases the risk of data leakage when sensitive data is involved.

Function permissions

Functions must be assigned the least permissions required to execute, however, granting more-than-required permissions to serverless functions may be risky.

Component & library vulnerabilities

Third-party libraries and components also play a vital role in serverless security as most serverless functions depend on them. Serverless functions can be exploited if any of the dependent libraries or components contain (known or unknown) vulnerabilities.

Insufficient function monitoring and logging

Attacks can go unnoticed in serverless systems as these systems do not provide the required security facilities to monitor and log applications.

Improving Security in Serverless Apps

After going through all the risks and challenges of serverless security, we will now discuss how to improve security in serverless apps. Some important security best practices that can help secure serverless apps are mentioned below:

Secure sensitive information

Use secure storage and encrypt all data to secure sensitive information. Review all roles and permissions granted to functions in the app, users, and third parties. Create and apply custom roles to the functions as per requirements.

Have an incident response plan in place

Develop and implement an IR plan to identify the initial signs of attacks. If attacks are detected early, they can be mitigated easily, which helps in keeping serverless applications secure.

Remove unnecessary third-party dependencies

Since third-party dependencies are accessible to everyone, attackers can use them to compromise serverless apps. Remove all unwanted third-party dependencies and ensure that all necessary third-party dependencies, libraries, and frameworks are monitored and updated timely. Also, ensure security patches are applied to older versions of dependencies to avoid security issues.

Implement adequate security logging and monitoring

Proper security logging and monitoring are essential for securing serverless apps. Regularly assess all functions to increase visibility into them by end-to-end monitoring, promptly identifying problems, and paying attention to actionable insights. Security teams must perform audits and monitor network logs periodically.

Automate security controls

Security teams must consider automating security controls for better security. Automating processes for test-driven checks and configuration avoids manual security checking efforts and helps cover the larger attack surface of serverless architecture.

Wrapping Up

Serverless cloud computing provides organizations with a larger scope of focusing on development and quality-related activities by offloading the infrastructure management to cloud vendors. However, it brings certain security challenges that need to be addressed by implementing appropriate security measures. Organizations can benefit from this serverless technology and avoid security risks if they carefully and sensibly implement security best practices. Serverless cloud computing is more secure than typical cloud computing. Read more about cloud computing: benefits & security threats to learn more.