SAN FRANCISCO — How do you secure a serverless function? For now it takes a lot of legwork and roll-up-your-sleeves planning, according to Mark Nunnikhoven.
That shouldn’t be daunting, though, because it boils down to a lot of old-school legwork that enterprises probably ought to be doing anyway, the Trend Micro Vice President of Cloud Research said in a Thursday RSA Conference talk and a subsequent chat with SDxCentral. It ends up involving “a lot of soft skills, a lot of teamwork,” he said.
A serverless function is one that has no permanent home in the cloud. Rather, it’s called up spontaneously after a trigger event. For example, every time a photo is saved into storage, a serverless function could create a thumbnail version.
In each case, you don’t have prior access to the infrastructure your function will run on. Even the cloud provider doesn’t really know ahead of time. So, how can you secure an unknown location?
For starters, a developer should map out the function’s data flow and write down which cloud services it will use, Nunnikhoven said. “It’ll help you make better decisions around configuring these services,” he added. “You will be amazed at what you dig up.”
He also recommends a code review with development and security personnel both present. The developers know what the code is supposed to do; security’s job is to make sure the code does only what it’s supposed to do.
“It’s a good way to start infecting developers with that mindset” of checking code for possible problems, he said.
These exercises will reveal which points of the cloud will need monitoring. What’s amusing here is that the monitoring tool itself can be a serverless function, popping into existence as a sidekick.
And that’s what the end goal of all this work should be: automation. The idea, as with security of normal networks, is to identify suspicious activity quickly and do something about it automatically.
The responses have to be automated because the hacks are automated. “I’m a big sci-fi fan. Only after great struggle does any human ever win against a robot,” Nunnikhoven said.
Serverless functions are gaining traction, not just with rogue developers but with brand-name enterprises such as Nordstrom and Capital One, Nunnikhoven pointed out.
It’s partly because of the economics. Cloud providers bill customers only for the time the serverless function is in existence. It’s easy for an enterprise to see what it’s spending on serverless, and the result can be a lot cheaper than normal cloud rental.
That’s one way that organizations get hooked on serverless, he said. They try it with a small, low-risk task and then realize serverless is cheaper than regular cloud usage would be.
“Based on that, people go, ‘Where else could we start to see those savings,'” Nunnikhoven said. “People are starting to build full-on applications and solutions with it.”
That’s been noticed at AWS. At Amazon re:Invent in December, the company launched new Lambda capabilities including Step Functions, which lets users chain together Lambda functions to build more complex applications.