Protego emerged from stealth this week, scoring $2 million in seed funding as it targets security efforts in the serverless space.
The Baltimore-based firm is focused on serverless, which is drawing increased interest due to how the model aligns with the agility mantra preached by DevOps. Serverless applications don’t rely on a fixed infrastructure; are designed to activate almost instantly; and can be programmed with a finite lifespan that cuts off all activity once a function is completed.
Hillel Solow, CTO and co-founder of Protego, explained that the agility of serverless is transformational, but needs to be understood in order to be properly secured.
“Serverless is a lot more significant and different than the cloud solutions that came before it,” Solow said. “It misses the mark to treat serverless and serverless security needs by just thinking of them as the container equivalent to VMs [virtual machines].”
Solow laid out three core issues for serverless security: basic observability for what’s happening inside an application; taking that observability to configure the correct security posture for that application; and how that security posture deals with an actual attack.
Protego tackles those issues with a platform that can be continuously updated at a DevOps pace. This includes scanning the serverless infrastructure, which includes the functions, logs, and databases, to minimize the attack surface. It then uses machine-based analysis and deep learning algorithms to build a model of “normal function behavior” so the user knows when an attack is occurring.
The platform also maintains what Solow described as a “minimum effective dose of protection” targeted only where it needs to be in order to keep a low operating overhead. This helps to reduce operational usage costs and not impede the application performance.
“In serverless you need to remain continuously focused on posture,” Solow said. “That means every few hours you need to be re-evaluating that posture.”
Developers On Board
Maintaining this level of agility is one of the biggest challenges faced by organizations dealing with serverless. More traditional VM and container platforms operate in timelines that can allow for a security team to handle updates on a weekly or monthly basis.
However, Solow noted that the pace of innovation with serverless requires the developers must actually create serverless-based applications to be involved. As an example, he explained that in half of the companies that Protego is working with, developers are crafting security permissions.
“They are becoming part of the process,” Solow said.
That needed shift was echoed by others in the space.
Gadi Naor, CTO at Alcide, said that communication between developers and the security team is critical for serverless. He explained that those developers are on the front lines of what’s happening in these ephemeral applications, and thus in the best position to implement a security plan.
“Developers are the ones that drive innovation,” Naor said. “They see what’s happening and really know what’s needed in terms of security.”
Alcide late last year scored $5.2 million in seed funding, which was led by Intel Capital and Elron.
Nate Taggert, CEO and co-founder at Stackery, reiterated that need to increase cooperation across an organization as it tackles serverless.
“The old model was for an Ops team to have a high level of access to the cloud account and for developers to have limited or no access,” Taggert explained. “That simply doesn’t work well in serverless where developers must frequently provision to the cloud during the development cycle.”
Stackery offers an operational dashboard for organizations looking to tap into serverless. The company last month pocketed $5.5 million in new funding, which pushed its total haul to more than $7.3 million since it was founded in 2016.
Serverless Security Concerns
Serverless security provider PureSec recently noted that 21 percent of open source serverless projects contained at least one critical vulnerability or misconfiguration. The research also found that 6 percent of those projects had application secrets like API keys or credentials available in public code repositories.
Serverless is seen as being potentially more secure than containers or virtual machines (VMs) for a number of reasons. The technology don’t rely on traditional servers and thus the presence of vulnerable binaries is eliminated; denial of service attacks are limited in scope and become billing issues; and serverless immutability eliminates reliance on potentially compromised servers.
However, serverless is generally more difficult to monitor because of the lack of a centralized server. There’s the potential for a larger attack due to the increased flexibility of serverless. And there remain challenges in securing third-party services during transit.
“These architectures complicate security protection strategies because there’s no OS [operating system] or container to instrument,” said Neil MacDonald, a vice president and distinguished analyst at Gartner, in a recent report. “In most cases, these services are used in conjunction with VM- and container-based architectures, so a traditional (cloud workload protection platform) provides partial protection.”
Protego’s Solow said he sees the company as being a compliment to the embedded security efforts offered by the large cloud providers.
“We worry more about the pure-play providers since those with a broader focus can overlook some of gaps that make serverless different from other cloud platforms,” Solow said.