Asia's Source for Enterprise Network Knowledge

Tuesday, March 26th, 2019

Secure Your Cloud

Security boons and banes with serverless computing

Enterprises have generally embraced hybrid and multi-cloud computing as the new normal in IT. Now, industry fervor is brewing around the next generation of cloud infrastructure – serverless computing.

“Serverless is the ideal form of cloud – or at least it is if you're a developer,” observedF5 Networks’ principal technical evangelist Lori MacVittie. “There's no infrastructure to worry about. Nothing to provision. Nothing to configure.

“But business, too, sees value in serverless in its speed and business model. It is truly utility computing. It's not billed by the half-hour or hour. You pay for the cycles you use and that's it. Combined with the frictionless nature of deploying code with serverless, you can be out the door with functionality in hours rather than weeks or months.”

In the emerging computing model, the code and scripts developers write connect to APIs that directly trigger functions and services, instead of the traditional approach where the code runs within a server to call other servers. 

Serverless computing differs from traditional cloud computing, such as an IaaS environment, because developers and users don’t pay for unused, or even underutilized, resources. Serverless customers do not have to provision virtual machines, storage, databases and all the security and management tools – the infrastructure is fully abstracted away.

And in contrast to a microservice, which might contain all the application logic required to implement a “profile service”, serverless architecture further breaks that down into individual functions. “One for login, one for logout, one for changing your password, one for resetting it,” explained MacVittie. 

Serverless surge

The pay-as-you-go serverless model is calculated based on actual code execution time when, and only when, a function is called. A function is a short segment of code focused on executing a single task. When a pre-defined event occurs that triggers that code, the serverless platform executes the task. Customers pay a fraction of a cent per 1 million functions performed or every time a function is executed. 

Existing cloud-based serverless services include Amazon Lambda, Google Cloud Functions, Microsoft Azure Functions, and IBM OpenWhisk as well as other Function as a Service platforms while on-premise implementations include Serverless and Iron.io.

Already, half of respondents to The New Stack’s 2018 survey said their organizations are using serverless, and another 28% of respondents plan to use serverless in their organization within the next 18 months. 

Of the survey respondents already using serverless platforms, more than half are using them for greenfield applications, since serverless makes moving from prototype to production incredibly quick. 

“It is not yet the end of 2018, and a new report by Sumo Logic has found that one in three enterprises use AWS Lambda,” MacVittie pointed out. “That's serverless. It took us ten years to get the bulk of enterprises on-board with cloud in general, but less than four to get a third embracing the newest addition to the cloud family.” 

Serverless status

However, serverless applications do not eliminate app security problems like cross-site scripting, cross-site request forgery, and injection. On the contrary, a serverless application has a wider footprint of more services and functions to be exploited or disrupted. This gives rise to DDoS attacks against the much larger, dispersed and dependent infrastructure as well as transport layer attacks against a much larger connecting network mesh.

And with the dependence on function calls to APIs, there is a greater need to ensure access control and transport encryption. Since developers aren’t necessarily experts in defining identity and access management policies, the risk of granting an appication access to more functions and services than is required could arise. 

The F5 Labs 2018 Application Protection Report also highlighted the difficulty of inventory and monitoring as apps become more dispersed among isolated and diverse systems. Further, the security, monitoring and optimization software supporting this technology are nascent. 

Still, for a start, many of the security headaches such as installing security updates and maintaining networking hardware, are actually the public cloud provider’s problem in a serverless environment.

DevOps teams do not have to keep the compiler and runtime for their language up-to-date and patch against known security vulnerabilities, according to The New Stack. Further, malicious code will not run when serverless containers are not in use and the applications are powered down. In The New Stack’s survey, 44% of respondents who already use serverless said it improved their risk posture, while only 26% said it had not. 

Crucially, serverless offers one of the most efficient means of automating operations. “An event-driven system like serverless provides an ‘always on’ platform that can execute a wide variety of tasks across the entire operational spectrum,” MacVittie wrote in her blog. “One minute it might execute a security-related task – update a firewall rule. The next, it might be firing off an action to inject a new app service – say a WAF – into the data path of an application as a response to a zero-day exploit. The same platform can provide the mechanism to execute just about every operational task required, in an automated and extensible way.”

This is a QuestexAsia blog post commissioned by F5 Networks Asia Pacific.