The typical cloud security model has been one of shared responsibility between the enterprise and the cloud provider. The cloud provider secured the hardware and software of the cloud, while the enterprise was responsible for securing the data stored in the cloud. In the best scenarios, these areas were spelled out in detail, with clear parameters for securing all aspects of the technology.
As new features, software models and approaches emerged, security teams might find themselves scrambling to revise their policies and detect any potential vulnerabilities in the cloud. The variety of workloads powering open source, owned and borrowed code became more complex as new technology appeared.
The benefits offered were often offset by the new security challenges they presented. For instance, as virtual machines made way for microservices and containers, there were always cloud security issues that came up to complicate the shared responsibility over how security is handled.
The newest approach to building and developing cloud native applications is serverless, or Functions as a Service (FaaS). In this model, development teams write application code in terms of a collection of functions, and the cloud provider runs the functions. It’s an approach that frees developers to focus on coding, and the provider handles provisioning, billing and scaling of the applications.
The technology is increasingly adopted, but will require a new approach to cloud security. While the traditional model creates clear boundaries for the parties responsible for each aspect of the application, serverless shifts more responsibility back to the cloud provider. The cloud provider handles the management of the operating system, while the enterprise becomes responsible for the applications in the cloud.
While this might seem like a good thing for DevOps and for security teams, the new model of security introduces blind spots, because the enterprise no longer has visibility into the operating system. This creates a challenge around adding firewalls or workload protection tools.
Security professionals need some new guidelines for handling cloud security in the age of serverless:
Determine ownership: Don’t make assumptions about who owns each part of the shared security responsibility. Defining rules makes it easier if or when you have a breach and saves you the step of finger-pointing when the vulnerability is identified.
Gain visibility: Assume your cloud provider is only taking care of the minimum cloud security measures agreed upon, and then secure visibility into your workloads across the data center.
Begin from the ground up: Addressing security as you discover vulnerabilities will always keep you scrambling. Build in cloud security from the initial development stage of the application, working closely with your cloud provider from the beginning to prevent attacks.
To learn more about how to adapt your cloud security strategy to changing technology, contact us at Cory Communications. We can help you ensure that blind spots and vulnerabilities don’t have a place in your cloud environment.