Assessing the Current State of Serverless Security
Security is almost always a leading pain point cited by users, and it doesn’t seem to really matter what environment or technology they’re being polled about. Anytime we’re moving into focusing on a new technology or ecosystem, security will always be one of those things that’s on top of the mind. But when it comes to serverless technologies, is the security perspective really any different than, say, lessons learn around microservices and cloud providers? Does the focus of the serverless community on a handful of centralized tools actually improve the prospects of early security, or does it only compound those problems?
In this episode of The New Stack Analysts podcast, we spoke about the state of serverless security with writer/analyst Mark Boyd, security company Snyk’s CEO Guy Podjarny, and Paul Johnston, founder of Roundabout Labs. In our discussion at ServerlessConf Austin, we talked about both the tools used to secure serverless environments, and the methodologies used to provide inherent, consistently secure approaches.
The panel agreed that there are many classic security questions which remain the same, especially in regards to best practices from cloud providers, but there are still new security threats dealing with the pace at which serverless allows teams to experiment. We talked about how serverless moves the security concern from the infrastructure level to high-level targets, such as application security, data security, and network security. Finally, we also discussed how the state of serverless security will change as serverless sees greater adoption.
3:12: The concerns and focuses for serverless security.
6:15: What is different about serverless architectures that make security important?
17:20: Logging at scale with serverless technology.
22:11: Best practices for working with serverless technology.
27:21: Serverless as a way to do continuous experimentation.
32:55: Tooling in the serverless ecosystem.