- Like containers, serverless adoption is driven by developers; security won't have a choice.
- Serverless security will only be achieved using a combination of process, technology and
culture changes starting in development and extending into production.
- Existing security tools provide little or no visibility and control capabilities for serverless.
- The greatest risks with serverless come from misconfiguration and the use of vulnerable code.
- The vast majority of applications that use serverless functions won't be entirely serverless.
To adopt serverless PaaS for public cloud securely, security and risk management leaders should:
- Break the strategy into four distinct areas: secure cloud-native mindset, secure serverless
foundation, secure severless development and secure serverless operations.
- Engage with cloud-native development teams now to understand the time frame for use of
serverless. Run a discovery project to see if serverless code is in use that you aren't aware of.
- Require your cloud security posture management (CSPM) tool to provide risk visibility and configuration/permissions management of the entire IaaS configuration, including serverless.
- Scan for vulnerabilities and misconfiguration automatically during development.
- Require IaaS vendors provide granular access controls on all serverless and PaaS capabilities, and adopt a least privilege security posture, including IAM permissions and network connectivity.
- Require an API gateway or event broker for invocation, providing a visibility and control point.
Strategic Planning Assumptions
By 2021, 90% of enterprises using IaaS will also use some serverless PaaS in production, up from 10% at YE17.
Through 2022, 80% of successful attacks on serverless PaaS will have a root cause of misconfiguration or the use of known vulnerable code due to immature tools and processes.
The adoption of serverless computing is growing — most notably Amazon Web Services (AWS) Lambda and Azure functions. These are technically referred to as a function PaaS (fPaaS or FaaS in Gartner research; see “Innovation Insight for Serverless PaaS” and “An I&O Leader's Guide to Serverless Computing”). However, public cloud providers have expanded their capabilities beyond fPaaS and now the term “serverless” (see Note 1) is shorthand for a larger number of serverless PaaS capabilities (see Figure 1).
Figure 1. Serverless PaaS
Source: Gartner (September 2018)
Gartner client interest in serverless is growing, with approximately 10% of enterprises indicating they already use serverless in production applications, 6% with active pilots and an additional 10% with pilots planned during 2018 (see Figure 2).
Figure 2. Serverless Adoption
From Gartner Data Center Summit, December 2017
Source: Gartner (September 2018)
For most organizations, we believe serverless PaaS adoption is a matter of when, not if — with enterprise adoption rates exceeding 90% by 2021. Like the rapid adoption of containers, serverless computing appeals to developers, enabling them to focus on writing code without having to worry about all the necessary layers below the code. The common element across all serverless PaaS (see Note 2) is that the underlying cloud infrastructure is opaque and hidden from the developer, including the provisioning/deprovisioning of new instances. This includes:
- The OS (typically Windows and Linux, supplied and maintained by the cloud provider)
- The application runtime if needed (for example Java, node.js, Python and so on, again supplied and maintained by the cloud provider)
- The orchestration, provisioning and scaling infrastructure (again, instead of manually setting up Kubernetes or autoscale groups, this capability is supplied by the cloud provider)
From a security and risk management perspective, serverless is yet another and more granular abstraction of workloads (abstracted units of work running on a compute layer) that we will need to support. Over the past decade, security has evolved to support virtual machines (VMs), then containers, and will evolve to support serverless deployments. However, as with the adoption of VMs and containers, support for securing serverless will initially have visibility and control gaps. Filling these gaps will require new approaches and the likely use of point solution vendors (see Note 3) until larger security providers step up to offer alternatives. Further, new types of attacks will emerge against serverless PaaS,1 requiring new approaches and techniques.
The biggest change that security and risk management leaders will have to adjust to is that IT no longer owns or controls the OS and application runtime. The name "serverless" is somewhat of a misnomer (as VMs are also "serverless"). Serverless could be more accurately referred to as "OSless" or “VMless,” as there is no longer an OS and application runtime that IT is responsible for supporting — including patching, versioning and high availability. These become the responsibility of the cloud provider. This helps significantly with issues like patching, but the lack of OS and runtime access challenges traditional workload protection strategies. In Gartner research, cloud workload protection platforms (CWPPs; see “Market Guide for Cloud Workload Protection Platforms”) almost always depend on agent-based OS instrumentation (typically Windows or Linux kernel mode agents). With containers, many container-centric CWPP offerings depend on privileged containers with root access and kernel-level permissions for visibility and control. Even emerging runtime application self-protection (RASP; see “Emerging Technology Analysis: Runtime Application Self-Protection”) approaches depend on accessing the instrumentation APIs of the application runtime environment for visibility and control. None of these approaches will work with serverless. Further, network security approaches are also severely challenged. Security controls that depend on fixed IP addresses, static hostnames or in-line third-party network security virtual appliances (a cloud anti-pattern; see “Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World”) won't work for serverless.
Securing serverless will force information security and risk professionals to focus on the areas we retain control over (see “Staying Secure in the Cloud Is a Shared Responsibility”). Specifically, the integrity and assurance of the code, identities of the code and developers, permissioning, and serverless configuration, including network connectivity. New approaches and techniques for securing serverless will be required and should be designed using a life cycle approach, starting in development and carrying through into operations. To illustrate this, we will build on secure DevOps (DevSecOps) research best practices established in “10 Things to Get Right for Successful DevSecOps” (see Figure 3).
Figure 3. Using DevSecOps to Frame Serverless Security Strategy
Source: Gartner (September 2018)
This research will provide security and risk management leaders specific best practices and considerations for securing serverless computing environments in the four major discussion areas shown in Figure 3:
- Secure cloud-native application mindset
- Secure serverless foundation
- Secure serverless development
- Secure serverless operation
Although this research focuses on the visibility and control issues of serverless PaaS, most of these serverless best practices can also be applied to other nonserverless PaaS services and high-productivity app platforms (low code and no code). Those platforms have similar visibility and control issues because the underlying OS, application platform and autoprovisioning system are under the control of the cloud provider.
Download the Full Gartner Report below to uncover analysis on the following:
- Secure Cloud-Native Application Mindset
- Secure Serverless Foundation
- Secure Serverless Development
- Secure Serverless Operation
- Secure Serverless Bottom Line
¹ Gartner "Technology Insight for X.509 Certificate Management" October 3, 2019, David Mahdi, David Collinson.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.