Cloud Native Security Shifts the Focus Back to the Application
Cloud native computing is bringing about such a sea change in how applications are developed, deployed and run, that, not surprisingly, it is changing the rules for information security as well. Case in point: serverless computing.
In this latest edition of The New Stack makers podcast, we speak with Check Point Software‘s Cloud Security Strategist Hillel Solow, who has been at the cutting edge of these changes. Solow co-founded Protego Labs, a pioneer in serverless security. Security vendor Check Point saw the writing on the security wall early on and gobbled up Protego in 2019. The New Stack publisher Alex Williams and TNS managing editor Joab Jackson hosted this episode.
Serverless, where Protego got its start, is a great example of the changes that cloud native computing has wrought, Solow explained in this podcast. Serverless workloads pop up and disappear as soon as they are done. It forces the security professional to rethink or think “holistically,” about how to secure an application. An attacker may not be able to use the serverless call to create a user account or get into a big trove of user data, but damage can still be done, by using the serverless call as a pivot point for greater entry or to pummel the account holder’s account with unnecessary charges.
In many ways, the best practices of serverless security should work as general guidelines for all application security, Solow argued. Lately, much of the software security field has minded itself with securing things outside of the application, such as the network. But serverless provides the opportunity to lock down individual system and cloud calls on a case-by-case basis. Before a container holding an app may have bundled hundreds of system calls, so it would have been cost-prohibitive to track down what each one does and how it should (and should not) interact with other services. But unbundling these calls into individual actions gives the security professional the ability to apply “least privilege” to each call, ensuring none are executing anything they are not supposed to.
Of course, this has been tried before, with SELinux, for example, but in many cases handcrafting a set of policies for system calls would be too much work for any one developer. Protego’s early calling card — and now part of the Check Point arsenal — is to automate the examination of serverless code to see what each call needs to do, and then, by extension, suss out what system or cloud permissions that the code requires to do this job. Then it’s easy-peasy to grant those permissions and block all other actions, thereby securing an application.
With serverless, “the notion of least privilege becomes super powerful. If we could just say ‘hey this function can only read from this table’ or ‘this function can only write to this bucket,'” then much of an application’s attack surface could “melt away just by getting those permissions down to the minimum,” he said.