Serverless computing did rather well in 2019, and it will do even better this year – but how do you secure it?
Also called Functions-as-a-Service (FaaS), serverless computing dispenses with the constantly running applications you normally find in a server infrastructure. Instead, it uses software functions that only run when triggered by events. This means you don’t pay a cloud service provider to keep a virtual machine running for an application that only sends messages twice a day. Instead, you just pay for the computing time used when you call that function.
Serverless computing, which has gained credibility through services like AWS Lambda, will grow at a CAGR of 34% according to reports. It also represents a different computing model than IT admins are used to. A few best practices will help keep your serverless functions safe in the cloud.
Verify Your Inputs
Serverless functions naturally draw upon messaging streams and third-party application programming interfaces (APIs). An attacker could inject code into these message streams and manipulate your cloud functions. Only consume events and other data from trusted sources and validate that data fastidiously.
Verify Your Components
This is a tricky one. Functions often rely on third-party libraries, which may have their own vulnerabilities. The recent discovery of bugs in third-party-packages is a good example. Regularly auditing these libraries using open-source code monitoring tools can help protect your functions from baked-in vulnerabilities.
Discover and Document
Serverless functions won’t be as readily visible as running servers, and companies that don't organize them properly risk creating unmanaged 'shadow APIs’ that could create security blind spots. A solid devops program can help tie software development and operations together, cataloging and managing functions in the cloud. Automated discovery tools can help with periodic audits.
Manage Permissions
Functions are built to query and exchange information with many other online components. As they proliferate within your cloud infrastructure, it will be important to manage their access to data and processes. Adopt a least-privilege approach to function permissions, maintaining an up-to-date record of permissions for all these components.
If you’re planning on giving serverless functions a whirl in 2020, these guidelines will help decrease your risk while letting you explore the benefits of this highly responsive new cloud computing model.
