Serverless Computing: 'Function' vs. 'Infrastructure' as-a-Service

How much do companies really gain from offloading security duties to the cloud? Let's do the math.

Ory Segal, CTO, PureSec

February 6, 2019

4 Min Read

Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let's do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

  • Physical infrastructure, access restrictions to physical perimeter and hardware

  • Secure configuration of infrastructure devices and systems

  • Regularly testing the security of all systems/processes (OS, services)

  • Identification and authentication of access to systems (OS, services)

  • Patching and fixing flaws in OS

  • Hardening OS and services

  • Protecting all systems against malware and backdoors

  • Patching and fixing flaws in runtime environment and related software packages

  • Exploit prevention and memory protection

  • Network segmentation

  • Tracking and monitoring all network resources and access

  • Installation and maintenance of network firewalls

  • Network-layer DoS protection

  • Authentication of users

  • Authorization controls when accessing application and data

  • Log and maintain audit trails of all access to application and data

  • Deploy an application layer firewall for event-data inspection

  • Detect and fix vulnerabilities in third-party dependencies

  • Use least-privileged IAM roles and permissions

  • Enforce legitimate application behavior

  • Data leak prevention

  • Scan code and configurations statically during development

  • Maintain serverless/cloud asset inventory

  • Remove obsolete/unused cloud services and functions

  • Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

 

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware

  • Secure configuration of infrastructure devices and systems

Customer Responsibility

  • Regularly testing the security of all systems/processes (OS, services)

  • Identification and authentication of access to systems (OS, services)

  • Patching and fixing flaws in OS

  • Hardening OS and services

  • Protecting all systems against malware and backdoors

  • Patching and fixing flaws in runtime environment and related software packages

  • Exploit prevention and memory protection

  • Network segmentation

  • Tracking and monitoring all network resources and access

  • Installation and maintenance of network firewalls

  • Network-layer DoS protection

  • Authentication of users

  • Authorization controls when accessing application and data

  • Log and maintain audit trails of all access to application and data

  • Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

Serverless-Oryblog.MED.jpg

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

  • Physical infrastructure, access restrictions to physical perimeter and hardware

  • Secure configuration of infrastructure devices and systems

  • Regularly testing the security of all systems/processes (OS, services)

  • Identification and authentication of access to systems (OS, services)

  • Patching and fixing flaws in OS

  • Hardening OS and services

  • Protecting all systems against malware and backdoors

  • Patching and fixing flaws in runtime environment and related software packages

  • Exploit prevention and memory protection

  • Network segmentation

  • Tracking and monitoring all network resources and access

  • Installation and maintenance of network firewalls

  • Network-layer DoS protection

Customer Responsibility

  • Authentication of users

  • Authorization controls when accessing application and data

  • Log and maintain audit trails of all access to application and data

  • Deploy an application layer firewall for event-data inspection

  • Detect and fix vulnerabilities in third-party dependencies

  • Use least-privileged IAM roles and permissions

  • Enforce legitimate application behavior

  • Data leak prevention

  • Scan code and configurations statically during development

  • Maintain serverless/cloud asset inventory

  • Remove obsolete/unused cloud services and functions

  • Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I've included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

About the Author

Ory Segal

Ory Segal

CTO, PureSec

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat research at Akamai, where he led a team of top web security and big data researchers. Prior to Akamai, Ory worked at IBM as the security products architect and product manager for the market leading application security solution IBM Security AppScan. Ory authored 20 patents in the field of application security, static analysis, dynamic analysis, threat reputation and systems. He is currently serving as an officer of the Web Application Security Consortium (WASC), he was a member of the W3C WebAppSec working group, and was an OWASP Israel board member. Ory is a regular conference presenter in conferences such as Blackhat, OWASP, CodeBlue and Gartner Security Summit.

See more from Ory Segal
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

A laptop screen showing a blue screen of death
Сloud Security
2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit
byJai Vijayan, Contributing Writer
Nov 12, 2024
6 Min Read
Red ZERO-DAY text amid yellow binary code
Cyberattacks & Data Breaches
Zero-Days Win the Prize for Most Exploited VulnsZero-Days Wins the Prize for Most Exploited Vulns
byDark Reading Staff
Nov 13, 2024
1 Min Read
Citrix logo on company building
Сloud Security
Citrix Patches Zero-Day Recording Manager BugsCitrix Patches Zero-Day Recording Manager Bugs
byJai Vijayan, Contributing Writer
Nov 12, 2024
5 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events