Serverless Security Threats Loom as Enterprises Go Cloud Native
Enterprises are rapidly adopting serverless computing because of improved security as well as the need for speed and greater operational efficiency. However, as they increase their usage of serverless functions, companies must understand how this affects their threat landscape — and how to implement security measures such as runtime controls and API discovery and usage inspection, according to a new Enterprise Strategy Group (ESG) study that looks at how organizations are securing cloud-native applications.
Application security company Data Theorem commissioned the study, Security for DevOps – Enterprise Survey Report. In it, ESG analyzed responses from 371 IT and cybersecurity professionals at organizations in North America responsible for evaluating, purchasing, and managing cloud security technology products and services.
These organizations are mature cloud users in terms of public cloud services and/or containers — in other words, they are not newbies when it comes to cloud native. “We wanted to make sure we had participants who were smart on the topic,” explained Doug Cahill, senior analyst and group practice director of cybersecurity for ESG.
Survey participants represented a wide range of industries, including manufacturing, financial services, health care, communications and media, retail, government, and business services.
The study found that only 8% of companies are securing 75% or more of their cloud-native applications with DevSecOps practices — automating core security tasks by embedding security controls and processes into DevOps. That number jumps to 68% of companies that say they plan to secure 75% or more of their cloud-native applications with DevSecOps practices in two years.
It also found that 82% of respondents have different teams assigned to secure cloud-native apps. Of this group, 50% plan to merge these responsibilities in the future, while 32% of respondents’ organizations do not plan to merge these responsibilities.
Security as Code
“What we found in the study is that organizations are starting to implement DevSecOps processes, but they are not yet covering a lot of their applications,” Cahill said. “When that number jumps so dramatically in two years, what I see happening is repeatability with security as code.”
Here’s why that needs to happen. First, there’s a well-documented shortage of skilled security professionals. “And a worse shortage of cloud security skills,” Cahill said. “The challenge then is: if I have a business with multiple project teams, how does the security team keep up with the rate at which the project teams are moving?”
Companies don’t have enough people to solve this problem. So they need to use automation, or automating security via CI/CD integration.
“That’s how you get repeatability, that’s how you get scale, vis-a-vis security as code that can be replicated and repeated across multiple projects,” Cahill said.
Serverless Security Threats
Another interesting piece of the research centers on the uptick of companies using serverless. More than half (52%) of respondents indicated their organization’s software developers are already using serverless functions to some extent with another 44% either evaluating or planning to start using serverless within the next two years.
Almost three-quarters (73%) said their No. 1 reason for using serverless is improved security, followed by agility and faster time to market when building new applications (57%), and simplicity of operations (56%).
However, as companies start using new cloud-native technologies including serverless functions, they also need to update their understanding of security threats and how to implement the right security controls. The study found that API-related vulnerabilities are the top threat concern (63% of respondents) when it comes to serverless usage within organizations.
An example of this threat is attackers misusing privileged accounts to execute serverless functions. “So even though we are talking about something new,” Cahill said, referring to serverless, “the attack vectors and methods are old methods applied to a new technology. So we should always be thinking about how privileged accounts are being used. We want to make sure we implement a least-privilege model” to restrict access for accounts to only the resources required to perform routine, legitimate activities.