If we go Serverless, What's left€¦ · •Know the CI/CD pipeline and how to secure it 16....
Transcript of If we go Serverless, What's left€¦ · •Know the CI/CD pipeline and how to secure it 16....
ENRICH. ENABLE. EXCEL.#ISC2Summits
If we go Serverless, What's leftfor us to protect?
Martin Stemplinger
2
ENRICH. ENABLE. EXCEL.#ISC2Summits
What is Serverless?
3
ENRICH. ENABLE. EXCEL.#ISC2Summits
What is serverless?
Serverless is an architectural style not a specific technology
4
ENRICH. ENABLE. EXCEL.#ISC2Summits
Let‘s explain this• Acronyms you will read a lot:
• FaaS: Function as a Service• BaaS: Backend as a Service
• Functions are stateless and mostly event-driven
• Backends provide the utilities
• It‘s a code execution environment only
• Good overview: https://martinfowler.com/articles/serverless.html
5
ENRICH. ENABLE. EXCEL.#ISC2Summits6
ENRICH. ENABLE. EXCEL.#ISC2Summits
Why does it matter?
7
ENRICH. ENABLE. EXCEL.#ISC2Summits
Developers love it• Less things to care about (servers are someones
else’s problem)
• The biggest gains tend to come from application velocity.
8
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Velocity is crucial for digital transformation and move to cloud native
• Pay for what you use
• Example calculations show tremendous savings
The CFO loves it too
9
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Traditional security approach won‘t work anymore
• Segregation of development and security controls slows everyone down.
• Risks remain largely the same, but mitigations need reimagining.
Security doesn‘t love it
10
ENRICH. ENABLE. EXCEL.#ISC2Summits
What changes?
11
ENRICH. ENABLE. EXCEL.#ISC2Summits
• OS, runtime security and patching no longer our job
• Traditional network security doesn't apply (no perimeter)
• Traditional security testing is difficult at least
• Traditional SIEM approach doesn't work anymore
Traditional security only partly applies
12
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Increased attack surface and system complexity
• Extensive data communications (what was inside a monolith goes outside)
• Security visibility gets more complex (which deviations from normal should we be worried about?)
• DoS attacks have taken a new form in the serverless world.
New issues
13
ENRICH. ENABLE. EXCEL.#ISC2Summits
What should we do?
14
ENRICH. ENABLE. EXCEL.#ISC2Summits
Move Security to the left and up
Application
Infrastructure
Development Production
Today
Server
less
15
ENRICH. ENABLE. EXCEL.#ISC2Summits
Know the environment• Know your provider and to what extent you can trust him
• Know the services being used (3rd party services and platform services)
• Know the libraries used and manage their vulnerabilities
• Know the CI/CD pipeline and how to secure it
16
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Ensure secure configuration of all services
• Control access to data storage e.g. S3 buckets
• Use AWS config rules to check
Know the services configuration
17
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Overcome requestor/approver relationships
• Bridge the gap between Security teams and Development teams
• Provide security solutions during development: “Show don’t tell”
18
Integrate Security into development
ENRICH. ENABLE. EXCEL.#ISC2Summits
Integrate Security into deployment
• Security checks during check-in and testing
• Automated process provides full audit trail
• Infrastructure as code improves asset overview
19
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Application security is even more important than in the past.
• All of the OWASP top 10 still apply to us, includingSQL, NoSQL and other forms of injection attacks.
• Data injection vectors: not only user input but all event data input
Application Security
20
ENRICH. ENABLE. EXCEL.#ISC2Summits21
• We are still responsible for securing our users’ data both at rest as well as in-transit
• Centrally store and manage application secrets
• Prevent AWS credentials leakage and revoke them immediately
Encryption and key management
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Employ principle of least privilege for each function
• Implement custom IAM rules
• Use standard authentication services
Identity Management
22
ENRICH. ENABLE. EXCEL.#ISC2Summits
• Logging in a serverless environment is not easy
• Make sure your logs contain what you need to observe security issues (contextual info)
• Adapt your SIEM and its use cases
Logging/Monitoring
23
ENRICH. ENABLE. EXCEL.#ISC2Summits
Thank you for your attention! Questions?
24
[email protected]://de.linkedin.com/in/martinstemplinger/en @mstempl