Cloud-native serverless architecture — sometimes known as function as a service, or FaaS — promises to take application development to new heights. Without the burden of managing infrastructure internally, developers can focus their creativity and efforts on writing and deploying code in the cloud without the headaches of running it.
From finance to education, organizations of all types are realizing the benefits of serverless as they mature their multi-hybrid cloud strategies. In fact, McKinsey recently positioned serverless alongside software as a service (SaaS) and open source software as the “technology trifecta” that can “rapidly accelerate business building for established companies that learn how to use them.” The McKinsey researchers shared compelling examples of serverless development in action, from an oil and gas company that spun out a series of products in just 12 weeks using a consistent serverless architecture to a major private equity firm that developed an innovative new investor site using serverless.
Despite the benefits of reduced costs and increased speed, flexibility and accuracy, a long-time security challenge has crept into this shiny new serverless realm: Organizations must effectively manage Identity and Access Management (IAM) permissions across CI/CD pipelines and development teams, while giving everyone (and everything) the access they need to deliver innovation at scale.
Out of perceived necessity, many security architects take a “more is more” approach, granting more permissions than they need. As a result, the risk of accidental exposure is extremely high in these dynamic environments, resulting in too many IAM permissions left in code and deployed into production. Some security architects do try to review code for serverless functions to identify excessive permissions and enforce least privilege on their own. But this takes significant time and resources that can often lead to costly time-to-market delays.
In most cases, serverless architecture is far from the only managed cloud deployment security architects must deal with. And as their security responsibilities grow to span infrastructure and multiple interconnected cloud platforms, so does the challenge of consistently enforcing IAM controls. Meanwhile, since the cloud comes without a perimeter, attackers recognize that compromising an over-permissioned account or role in the cloud can simplify the attack path and help them reach their goals faster. Not surprisingly, software supply chain attacks keep coming and growing in scale and sophistication.
In ongoing conversations with cloud security teams and architects at global organizations, we’re hearing the same serverless security challenges echoed repeatedly:
- “Our cloud environment is already so complex that it’s difficult to even see where over-permissioned risks exist in serverless applications — let alone do anything about them.”
- “I can’t detect or remediate these excessive permissions without investing enormous effort.”
- “Without the right IAM policy recommendations in place, our developers can’t use serverless applications and cloud functions to their full advantage.”
If serverless functions are to become the foundation of future application development processes — as many digital enterprises believe will be the case — the fundamental cybersecurity practice of least privilege enforcement must encompass this foundation and extend to all IT environments without disrupting security or development team productivity.
In the words of Henry Ford, “If everyone is moving forward together, then success takes care of itself.” Our team at CyberArk Innovation Labs is exploring these challenges as we broaden our capabilities for securing cloud workloads from identity-based attacks. As we continue to innovate and advocate for secure-by-design cloud principles, we’re seeking design partner organizations to test new capabilities for securing permissions used by serverless functions.