Serverless computing is becoming more popular as organizations look for new ways to deploy their applications in the cloud. With higher levels of abstraction, easier maintenance, a focus on high performance, and ephemeral workloads, serverless computing solutions like Lambda are finding a permanent place in the mix of cloud infrastructure options.
However, as serverless grows more popular, serverless computing security is becoming an important factor to consider, especially as enterprises use serverless computing to power applications that interact with their legacy systems—and they need assurance that their data and application code is fully secured in production.
What are the key factors to consider when it comes to security for serverless? Let's find out.
1. Shared responsibility
As with all cloud solutions, serverless computing operates on a shared responsibility model for security—that is, the cloud provider is responsible for the security of resources they provide in the cloud, and the customer is responsible for security of their data and application code. Understanding this concept is fundamental to knowing where to focus your security efforts. Serverless computing eases security as it offloads infrastructure security to the vendor. However, as a customer, you need to use this to your advantage and put even more focus on securing the upper layers of the stack that are managed by you. This includes access and authorization to resources, integrations with other applications and APIs, and analyzing performance and errors.
Let's look more closely at what this means in the case of AWS Lambda, which is the leading serverless computing solution available today. Although we’re discussing Lambda here, you can replicate the same approach for other serverless computing tools.
2. API Gateway
API Gateway is AWS' API management service that manages, authenticates, and reports on all API calls between two APIs. In the case of Lambda, you can use API Gateway to integrate an external enterprise application with Lambda and streamline the communication between the legacy app and Lambda in a seamless manner. This was previously difficult to do as both systems are completely different in how they function and how they are built, making them hard to integrate. But API Gateway integrates them in a way that focuses on the tasks to get done, and not the differences between the applications.
With security, API Gateway enables a set of policies to govern each API call. You can set it to either leave an endpoint open for communication, or for communication to be governed by a list of IAM (Identity and Access Management) policies. This relationship can work the other way, too, where API Gateway leverages Lambda as a custom OAuth authorizer. Rather than build an authorizer from the ground up as a separate application, you can use Lambda to execute code that authorizes each API call.
3. Amazon Cognito
Cognito is a user access control service from AWS that works well with many AWS services, including Lambda. Its primary function is to provide mature login controls for users so that their application data is saved in the AWS cloud and synced across all devices they use automatically, even if they go from “trial” to “paid” user. Cognito acts as a gatekeeper, allowing only authentic users to access the Lambda application. It provides pre- and post-authorization controls to enforce security controls, as well as design custom user experiences within the app. Cognito lets you set different policies to govern different groups of users with its feature called identity pools. Cognito works together with IAM to apply different policies for each pool.
4. AWS IAM
As the core security service that manages access to all AWS resources, IAM is essential to securing a Lambda application. It lets you give varying access levels to users. You can give users read-only access to your Lambda functions, or you can allow them to invoke Lambda functions, or you can give them full access to invoke functions and manage the underlying system resources.
5. Logging and monitoring
Once the various security policies and access controls are in place using the tools listed above, you need robust monitoring and logging for Lambda. AWS provides the basics in the form of CloudWatch and CloudTrail. The former monitors application performance metrics, and the latter API calls. While they're great for a start, you need centralized logging and monitoring of your application, and you can achieve this by transmitting logs to external logging solutions using agents. You need both metrics and logs to gain deep visibility into the performance of your Lambda application. While metrics can alert you to possible issues, logs give you the deep visibility to identify the root causes and fix them. By setting up custom alerts, you can catch security issues before they escalate, and this is eventually how you want to approach Lambda security—in a proactive way.
Conclusion
Security is a top priority for organizations as they leverage Lambda for many of their production workloads. To implement serverless security the right way, it takes an understanding of how security works in the cloud. You need to leverage all available security services like API Gateway, Cognito, IAM, and similar services from other vendors to adequately secure your Lambda applications. Additionally, monitoring the metrics and logs that are generated during production is essential to spot security issues before they escalate. Lambda is making it easier than ever to get up and running with applications in the cloud. By following the best practices listed here, you can ensure those Lambda applications are secure as much as they are performant.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
