If we go Serverless, What's left€¦ · •Know the CI/CD pipeline and how to secure it 16....

ENRICH. ENABLE. EXCEL.#ISC2Summits

If we go Serverless, What's leftfor us to protect?

Martin Stemplinger

2


What is Serverless?

3


What is serverless?

Serverless is an architectural style not a specific technology

4


Let‘s explain this• Acronyms you will read a lot:

• FaaS: Function as a Service• BaaS: Backend as a Service

• Functions are stateless and mostly event-driven

• Backends provide the utilities

• It‘s a code execution environment only

• Good overview: https://martinfowler.com/articles/serverless.html

5

https://martinfowler.com/articles/serverless.html

ENRICH. ENABLE. EXCEL.#ISC2Summits6


Why does it matter?

7


Developers love it• Less things to care about (servers are someones

else’s problem)

• The biggest gains tend to come from application velocity.

8


• Velocity is crucial for digital transformation and move to cloud native

• Pay for what you use

• Example calculations show tremendous savings

The CFO loves it too

9


• Traditional security approach won‘t work anymore

• Segregation of development and security controls slows everyone down.

• Risks remain largely the same, but mitigations need reimagining.

Security doesn‘t love it

10


What changes?

11


• OS, runtime security and patching no longer our job

• Traditional network security doesn't apply (no perimeter)

• Traditional security testing is difficult at least

• Traditional SIEM approach doesn't work anymore

Traditional security only partly applies

12


• Increased attack surface and system complexity

• Extensive data communications (what was inside a monolith goes outside)

• Security visibility gets more complex (which deviations from normal should we be worried about?)

• DoS attacks have taken a new form in the serverless world.

New issues

13


What should we do?

14


Move Security to the left and up

Application

Infrastructure

Development Production

Today

Server

less

15


Know the environment• Know your provider and to what extent you can trust him

• Know the services being used (3rd party services and platform services)

• Know the libraries used and manage their vulnerabilities

• Know the CI/CD pipeline and how to secure it

16


• Ensure secure configuration of all services

• Control access to data storage e.g. S3 buckets

• Use AWS config rules to check

Know the services configuration

17


• Overcome requestor/approver relationships

• Bridge the gap between Security teams and Development teams

• Provide security solutions during development: “Show don’t tell”

18

Integrate Security into development


Integrate Security into deployment

• Security checks during check-in and testing

• Automated process provides full audit trail

• Infrastructure as code improves asset overview

19


• Application security is even more important than in the past.

• All of the OWASP top 10 still apply to us, includingSQL, NoSQL and other forms of injection attacks.

• Data injection vectors: not only user input but all event data input

Application Security

20

ENRICH. ENABLE. EXCEL.#ISC2Summits21

• We are still responsible for securing our users’ data both at rest as well as in-transit

• Centrally store and manage application secrets

• Prevent AWS credentials leakage and revoke them immediately

Encryption and key management


• Employ principle of least privilege for each function

• Implement custom IAM rules

• Use standard authentication services

Identity Management

22


• Logging in a serverless environment is not easy

• Make sure your logs contain what you need to observe security issues (contextual info)

• Adapt your SIEM and its use cases

Logging/Monitoring

23


Thank you for your attention! Questions?

24

[email protected]://de.linkedin.com/in/martinstemplinger/en @mstempl

If we go Serverless, What's left€¦ · •Know the CI/CD pipeline and how to secure it 16....

Documents

Transcript of If we go Serverless, What's left€¦ · •Know the CI/CD pipeline and how to secure it 16....