One of the main benefits of serverless is the ability to shift server administration- and platform management-related tasks to a third party, allowing for a greater focus on development and deployment. But this freedom can come at a price — relying on serverless also means, for example, giving more control to a third party. Many things for which you are at the mercy of the serverless provider include unexpected downtimes, fluctuating pricing, and ultimately, the inability to benefit from features tailored to your specific needs since you are likely one of the thousands of customers. The control of underlying security parameters can also be an issue.
However, with the right tools, it is possible to gain visibility and control of runtime security for your serverless data and applications. Ory Segal, chief technology officer and co-founder of serverless security provider PureSec, was on hand to discuss how, during a podcast hosted earlier this month by Alex Williams, founder and editor-in-chief of The New Stack, earlier this year at ServerlessConf 2018.
The inherent issue with serverless is that customers do not own the runtime environment since “you are a guest,” Segal said. “Being able to sit there and monitor everything at a very low level … is challenging,” Segal said.
But as mentioned before, gaining visibility into serverless security on a runtime level is doable, with the right monitoring systems, such as the ones PureSec provides, Segal said. “We basically weave ourselves into the environment as far as we provide you with the library. And when you call our library in your code, it sort of wraps around — not wraps in code but like encloses the function instance in our security environment in order to monitor things at a very, very low level,” Segal said.
A reliable serverless monitoring system must still include features applicable for typical on-premise or cloud deployment. Every organization also has its specific data protection needs. “There’s no one approach that matches or fits every environment and every customer,” Segal said. “Every organization has their own needs and different environments.”
But regardless, static analysis, scanning, library, certifying libraries and scanning code remains important and are “not something I would skip even though we’re talking about serverless application security,” Segal said. “You need to statically scan the code to find longevities before you deploy. There’s no point in dispatching things afterward.”
When it comes to runtime and monitoring for serverless, “things have changed,” Segal said. “I think I heard somebody mentioned that in serverless, the cloud is like the operating system and then the functions are the code so it’s completely different,” Segal said. “It’s like a completely whole computer basically, and you need to treat it as such. So just monitoring functions or just monitoring configurations is not enough to look at the big picture and understand that this is one big system.”
Feature image via Pixabay.