Cloud functions present new security challenges

Cloud functions, or serverless apps, are small, fast and pop in and out of existence. So, how do you secure them?

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Serverless apps are deployed over a cloud platform and are designed to use only the amount of computing resources needed to carry out a task. They come into play when needed, and then go away when the task completes. This is great if you’re looking to maximize performance and minimize overhead in a cloud environment. Because they are small, fast and have short lifespans, however, serverless apps pose challenges to security teams.

The cybersecurity industry is still trying to come to grips with containers, those small, easy-to-deploy, pre-built little bundles of applications. Since many containers can run in a single virtual machine, each isolated from the rest, they are cheaper and more flexible than previous application deployment options.

Containers have got nothing on serverless apps, also known as cloud functions or, on Amazon, as Lambda functions. First released by Amazon and IBM in 2014 — and then by Google and Microsoft in 2016 — cloud functions are even smaller, even lighter, and even shorter lived. They're even harder to secure.

At least with containers, there's room in the container for the main application, plus some security software such as logging or malware protection tools. With cloud functions, there is only that one function and no room for anything else. Any smaller, we'll just be running single lines of code in the cloud.

As with any new technology, serverless app security is often an afterthought. Too many developers blindly put their faith in the infrastructure providers to keep their cloud functions safe.

Risks unknown, expertise lacking 

There's a lack of serverless security expertise not just in enterprise development teams but in the industry in general, says Robert Huber, chief security and strategy officer at Eastwind Networks. "Very few cyber security professionals understand micro services and cloud computing from a technical level," he says. "Even more troubling is that most organizations do not have dedicated cyber professionals with the necessary skills to reduce risk in these environments. Now comes serverless apps."

There's no solid information yet about all the cyber risks of the new technology, and support from security vendors is "nascent at best," he says. As a result, companies should be cautious when calculating the ROI of moving to serverless.

According to McAfee, serverless architectures can reduce costs by a factor of ten for some operations. That's before all the security risks are understood. Plus, the flexible billing model of serverless applications is in itself another security risk, according to McAfee. Since the apps naturally scale and billing is based on traffic, a distributed denial of service (DDoS) attack can hit the bottom line.

The increased attack surface resulting from a larger number of small functions that are deployed quickly and at scale, and that communicate with one another across the network, add up to a big problem. According to McAfee, serverless apps are among the top five new threats of 2018.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.