Riding the Application Explosion with Secure Serverless
Digital economy has triggered an insatiable appetite for apps. Just count the number of apps we use in our daily lives—from interacting with friends, family and colleagues; booking cabs; ordering food; navigating to new places; grocery shopping; digital payments, there is an app for all kinds of things. The result is that we are faced with a deluge of applications, so much so that IDC estimates by 2023, 500 million new digital apps and services will be developed and deployed, equivalent to the number of apps and services created over the past 40 years.
Much of this explosion will be driven by Cloud-native technologies such as DevOps, microservices, containers and serverless. Amongst these, serverless has captured the imagination and is seeing furious adoption. An O’Reilly survey of 1500 IT professionals in 2019 found 40% of the respondents’ organizations had adopted serverless architecture. Just as a DataDog survey in January 2020—The State of Serverless—indicated that an overwhelming 50% AWS users are using the serverless AWS Lambda Function as a Service (FaaS).
Clearly serverless technologies are going mainstream and AWS is leading the way according to State of Serverless Community Survey by Serverless Blog in which 137 respondents participated from across North America and Europe.
The immense popularity of serverless is the freedom it extends to developers by abstracting the complexities of provisioning, balancing and managing the underlying infrastructure while enabling developers to only focus on creating high-quality codes. Serverless applications are inherently available and scalable, yet cost-effective as the architecture eliminates idle instances yielding greater resource utilization.
Serverless is particularly suited for batch processing and is increasingly deployed as the data economy burgeons with massive amounts of data streaming from mobile, Web and IoT devices.
The Serverless Layer of Abstraction
Serverless computing is relatively new but it has the capability to unleash software development at speed and scale to transform the enterprise into a dynamic and futuristic service model. However, the flip side of serverless is that while it empowers developers it takes away control of the infrastructure layer from the developer introducing a different set of challenges. This includes difficulty in troubleshooting; comprehensive security management; inability to predict costs accurately; and challenges arising out of vendor lock-in.
Amongst these, the biggest challenge by far is ensuring security and compliance. The O’Rielly survey finds that the security was the leading concern amongst 60% of the respondents who have not adopted serverless. This is because traditional security approaches using tools to protect the infrastructure and networks with a firewall, IDS or runtime application security protection (RASP) technology will not work in a serverless environment because of its underlying distributed system. Specific security challenges in serverless environment include the following.
Being event-driven, serverless applications are loosely coupled functions and do not share the same memory space, so security must be deployed for individual functions. But this becomes challenging in large organizations where there are multiple Cloud accounts across regions and providers.
Data is held in a stateless environment and cached rather than stored in memory. So, storing and transporting data in serverless environment are challenging and security must be meticulous designed into the architecture to mitigate risks and avert incidents.
Much of the same security best practices apply in serverless including role-based IAM access; using API gateway as a buffer to filter, authentication and DDoS mitigation; monitoring and logging serverless functions; and managing secrets using a secure storage service. AWS Cloud offers many services to easily secure serverless such as AWS IAM, AWS API Gateway, CloudTrail, CloudWatch and AWS Systems Manager.
In addition to the standard best practices securing serverless entails specific best practices which includes the following.
- Patch function dependencies. The service provider takes care of the OS patching but application developers must take responsibility of patching vulnerabilities in application dependencies by deploying tools that monitor and patch open-source assets and source code repository.
- As serverless is event-driven all sources must be sanitized including S3 storage; messaging events such as AWS SNS and SQS; and database streams must be validated using schemas and data transfer objects, ORM with proper sequencing, etc.
- Isolate function perimeter and each function in a workflow should be treated as its own perimeter.
Create small functions to reduce the surface of attack.
- Secure and verify data in transit using https, ssl certificates, and enable signed requests to access Cloud resources.
The promise of digitally transformed businesses is the ability to leverage data-based insights and go from idea to production within hours. As organizations seek competitive advantage and pull data from a multitude of sources to roll out new features and functionalities at speed and scale, serverless applications are becoming popular. But these developments must be accompanied by changes in the way applications are secured to harvest the benefits in a consistent and sustainable manner, otherwise businesses will be exposed to more risks.
If you are interested in knowing more about designing and deploying serverless in a secure manner, reach out to us.