Serverless drives agility and speed, but that’s not all that a well-architected serverless approach enables. Serverless is a catalyst for improving security too.
With DevOps processes, the concept of Infrastructure-as-Code is a recommended best practice. In a serverless approach, treating infrastructure-as-code isn’t only recommended, it’s required. There is no way around it. The great benefit of embedded infrastructure-as-code approaches is that from the onset of the software development lifecycle, security can be integrated into the process.
With serverless, DevSecOps is a reality where engineers can architect with tightly scoped roles, and develop with fine-grained permissions as part of the process, without losing speed.
When considering security in a serverless world, it’s not just about a specific threat or vulnerability, but also about reducing the attack surface and minimizing risk early in the process.
Shifting Left for DevSecOps
A key to reducing risk is to shift security to earlier in the development process, a concept known in the industry as Shifting Left. With the shift, rather than bolting on security at the end of the process, it’s an integrated part of the software development lifecycle, enabling a DevSecOps approach.
The reality though of shifting left is that it’s not just simply about saying that you’ll integrate security earlier into the development process. The reality is that developers are rushed as it is. After all, the need to accelerate development is part of the reason why they choose serverless in the first place.
In a serverless approach, treating infrastructure-as-code isn’t only recommended, it’s required.
Far too often, we’ve seen developers simply use open wildcards (e.g. s3:* and arn:aws:s3:::*) for services with more access rights and permissions than needed. What’s essential is for organizations to have well defined serverless environments, that are locked down, where an administrator has control and visibility into how access is granted and what policies are in place.
What’s needed is an integrated approach where security processes, best practices and risk mitigation are baked into the serverless application development lifecycle from the get-go.
Critical Phases for Security in the Software Delivery Lifecycle
There are several key considerations and things that need to be done to help enable secure serverless delivery that spans the architecture, development and deployment phases.
Design. The first step of helping to ensure security in a serverless deployment should also be the first step of the application development process when architecture is mapped out. It’s the phase of the lifecycle around designing and scaffolding out applications to identify how things should interoperate.
Among the best starting points for designing architecture in the cloud is AWS Well-Architected Framework which provides building blocks for best practices. For example, if your architecture includes a Lambda Function retrieving data from an S3 Bucket, how can you ensure the Function only has read-level permission for the one Bucket it will read from? Further, what tools and processes do you have in place to ensure the right scope of permissions are always applied to all resources?
Development. When developing it’s important to be able to quickly verify security controls. The first step is ensuring the permissions created during the architecture phase allow for appropriate functioning of the application resources. The right tools will enable rapid iteration of business logic while testing against the actual permission scopes of compute resources.
Integration of security as part of the CI/CD pipeline is also critical. This includes auditing dependencies for known vulnerabilities during testing to make sure that every build automatically benefits from security by default.
Deployment. Having a well-defined build and deployment environment that is locked down can significantly reduce the attack surface for a serverless application deployment. To support rapid iteration, the packaging phase and its requirements should be separated from the deployment phase. In serverless terms, this means separating the preparation of a CloudFormation Change Set and Function source code from the execution of the Change Set. Further, it’s important to consider the context where source code is packaged. Consider adopting mechanisms that give you turn-key scaffolding for packaging while continuing to provide full control over the build environment.
A related concern is ensuring isolation between deployment environments. The best practice is to separate development, test, staging, and production environments across AWS accounts within an AWS Organization. However, existing processes may require a single AWS account for multiple environments. Isolation can still be achieved within a single account through namespaced parameters and secrets management.
Deployment is also about visibility with dashboards and auditing capabilities that further reinforce and support the secure practices that were baked in at the architecture phase. Visibility and auditing also helps to enable compliance with different regulatory requirements and policy frameworks.
Security in a serverless world is a continuum of activities from architecture, though to development and deployment. While some of the basic approaches are things that organizations have been doing for years, there is a need to integrate and customize those activities for the serverless workflow.
Beyond just the blocking and tackling of best practices and controls that can reduce the attack surface and minimize risk, there is also a need to integrate with other functions in an organization, notably a Security Operation Center (SOC) and the tools they use including SIEM.
Serverless with its discrete functions and microservices provides a real opportunity for a very fine grained approach to security.
Rather than protecting a monolith, where policy and access controls are a blunt instrument, a serverless approach enables very precise controls that can be highly effective. By shifting security left, security is no longer a bolt-on addition, but rather is an integrated part of the process. By adopting a DevSecOps approach with serverless, security can be highly automated, enabling guard rails that protect developers and applications in a way that doesn’t slow application development speed.
Feature image via Pixabay.