Need cloud computing? Get started now

What Is Serverless Security?

Serverless security is the set of practices, programs, and technologies that organizations deploy to protect serverless computing architecture. In serverless computing, DevOps teams can write and deploy applications in cloud-native frameworks where the servers are managed by a cloud services provider. A serverless architecture allows developers to remain focused on writing code while the cloud provider is responsible for provisioning and maintaining the servers used for application development. Serverless security requires a shift in the way organizations view application security, and a fresh approach to controlling access and protecting data and functions.

What is serverless architecture?

Diagram illustrating serverless computing. This diagram illustrates a client querying a Network Time Protocol Server spun up on demand within a Docker container.

Serverless architecture is a cloud computing model that enables organizations and software development teams to build and run applications without worrying about managing the back-end services and underlying server infrastructure. While serverless architecture still uses servers, the server and infrastructure management is performed by a cloud services provider. This allows developers to focus more time and energy on releasing applications and services faster. Serverless computing allows organizations to access back-end services on an as-needed basis, paying only for the amount of resources they use.

What are threats to serverless architecture?

Serverless architecture is a major paradigm shift in how organizations manage development environments, and it has produced a new crop of security threats and security risks that IT teams must contend with.
  • Injection. Event data injection happens when unreliable input is delivered straight to an interpreter for execution or evaluation without determining if the input is malicious.
  • Overprivileged functions. Because each function in a serverless application has its own roles and permissions, serverless applications are often granted excessive privileges that may be compromised by malicious actors.
  • Misconfiguration. When settings in a serverless framework are not properly configured, the environment may be subject to denial-of-service attacks.
  • Broken authentication. Broken authentication allows attackers to exploit weaknesses in authentication mechanisms to gain unauthorized access to a serverless application, potentially leading to data breaches, identity theft, or session hijacking.
  • Insecure code. When code is not secure, it may introduce vulnerabilities that hackers can exploit to compromise the availability, integrity, or confidentiality of serverless applications and data.
  • Larger attack surfaces. A serverless framework encompasses a variety of input and event sources, including HTTP, APIs, IoT device connections, and cloud storage. Because some aspects of these sources may contain untrusted message formats, the size of the attack surface can be significantly expanded.
  • Dependencies. Third-party dependencies introduce risk by creating a larger attack surface that’s beyond an organization’s control. These may include dependencies on libraries, frameworks, or modules that, when exploited by an attacker, may provide access to sensitive data or resources.

Additional top threats as identified by the Open Worldwide Application Security Project (OWASP) include:

  • Insecure Serverless Deployment Configuration
  • Inadequate Function Monitoring and Logging
  • Insecure Application Secrets Storage
  • Denial of Service & Financial Resource Exhaustion
  • Serverless Business Logic Manipulation
  • Improper Exception Handling and Verbose Error Messages
  • Obsolete Functions, Cloud Resources and Event Triggers
  • Cross-Execution Data Persistency

What are serverless security best practices?

A move to serverless architecture requires a corresponding shift in how cybersecurity teams think about cloud security and application security. Traditional tools like firewalls, intrusion detection systems, or runtime application self-protection (RASP) are of little help in protecting an application that consists of a variety of distributed cloud services.

  • Maintaining strong access control through identity and access management (IAM). IT teams must use strong passwords and maintain least-privilege access for all serverless functions and other services. Users, applications, and processes should only be granted the absolute minimum permission required to perform a task. For instance, when an AWS Lambda function requests access to a DynamoDB table, it must be granted permission only to perform the specific tasks required by the business logic, rather than being granted broad access to the service environment. Additionally, the practice of least privilege should also apply to users.
  • Scanning for vulnerabilities. Frequent and regular scans for configuration errors, overly permissive roles, and third-party dependencies can help to ensure the security of serverless applications.
  • Using runtime protection. Runtime protection can help IT teams uncover malicious event inputs and limit the ability of each function to access files, hosts, and the internet.
  • Encrypting data in transit and at rest. Encrypting sensitive data ensures that data in transit cannot be intercepted or read by unauthorized users. Encrypting data at rest protects data from authorized access by attackers or insiders with access to databases and storage systems.
  • Monitoring and logging functions. Real-time monitoring can help IT teams quickly detect anomalies and suspicious activity in a serverless environment where components scale and react to events dynamically. By keeping a centralized log of activity, teams can aggregate logs from different sources to streamline incident response and trace the origin and nature of threats.
  • Deploying an API gateway. As a reverse proxy, an API gateway provides extra security defenses by creating distinct separation between users and functions.
  • Creating timeouts for functions. By setting a timeout limit for functions, IT teams can stop malicious actors from executing denial-of-service attacks or exploiting vulnerabilities. Timeouts can also prevent other security problems like memory leaks and infinite loops.
  • Looking beyond web security solutions and web application firewall protection. Since web application firewalls (WAFs) only inspect web traffic, this technology can’t protect against event trigger types like notifications from IoT devices, code modifications, database changes, or cloud storage events.

Frequently Asked Questions (FAQ)

Serverless computing is a cloud-based model for application development and execution that allows developers to build and run code without needing to manage servers or back-end infrastructure. Developers can focus on writing front-end application code and business logic, while cloud service providers provision, manage, and scale the cloud infrastructure required for the development environment.

Since serverless computing services are offered on an as-needed basis, they offer a more cost-effective way to access the infrastructure needed to write and run applications. Serverless computing offerings can scale quickly. And a serverless architecture can dramatically reduce time to market, since developers can focus on writing and modifying code rather than managing servers and databases.

Edge serverless refers to serverless functions that are run on edge servers, closer to the edge network end users who consume them. Edge serverless is part of the evolution of cloud edge offerings, where cloud resources are positioned at the network’s edge to reduce latency.

Function as a service (FaaS) is a serverless model for running modular bits of code on edge servers. FaaS allows developers to write and modify code on the fly, where the code is executed in response to an event, as when a user clicks on an element in a web application. FaaS makes code easier to scale and provides a cost-efficient way to implement microservices.

A container is a package of software that combines code with all the dependencies and elements required for the application to run quickly and reliably in any computing environment. Containers virtualize the operating system and can run workloads anywhere.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions