By now most of the IT practitioners are familiar with the term Serverless Computing, and are also aware of the reasons for it to become so popular. If you’re still not sure, you can read our recent blog “Why is Serverless Architecture becoming so popular?” Serverless architecture alleviates a lot of operational burden like management of operating systems and infrastructure. It also reduces a lot of burden to maintain security provided you understand the risks that your application is exposed to.
The best suggestion that you can ever get for securing serverless applications is to plan ahead, lay the groundwork, and work on a security approach proactively. If you select the right cloud provider, that’s the other way to ensure high security of your applications on a serverless platform.
Securing serverless applications is obviously different from securing the regular monolithic applications or even security of cloud deployments. You have to ensure security of flow of data, services & APIs, code quality, and monitoring production.
Image Source: https://i.kinja-img.com/gawker-media/image/upload/s–uFoN6YYf–/c_scale,fl_progressive,q_80,w_800/jgpeuoavmn7pwbh98ycs.jpg
1. Map the flow of data
One of the first and most critical steps is to map the data flow between components, services, and APIs that you’re using. If you have an understanding of what data is processed where, and where it’s stored, then you will have a better clarity of the services and APIs that are right for you. For example, sensitive customer data has to be encrypted and stored, and data storage service can be shortlisted more easily. If you have a map like this, it becomes easier to troubleshoot issues, and address performance issues whenever there are any.
2. High Quality Code
The most effective security tool for any application is high quality code. Unfortunately in case of serverless design, there are only a handful of security tools that can protect you against poor quality of code. There are a number of layers that are not in your control when using a serverless design so mitigating problems like XSS and CSRF can be difficult. Ensure that you have a solid code review, rigorous testing, and continuous integration practices to ensure that there is a consistent quality of code that is being maintained.
3. Choose the APIs and services wisely
With selection of the right services and APIs, you can build the application in the right manner. These are like the building blocks for your applications, and you have to choose the ones that best meet your security requirements. The right service is the one that will have the security controls in your hands. For example, encryption of data is not possible if you use Google Cloud Storage or Azure Storage but you can use an additional service like AWS KMS or Azure Key Vault to encrypt the data. If you have a ready data flow map, you can easily identify the services that are the right fit for your application.
4. Monitor Production
Fortunately, serverless monitoring doesn’t require you to monitor day-to-day security but just focus on aspects like access control, unusual business behaviors, and integrity monitoring. It is always a good practice to setup alerts and processes to respond to unusual activity, and there should be enough information provided to the team to take action.
By: Katie Johns