Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security by Ranga Vangara

Avatar for edgeroute edgeroute
March 30, 2018
180

Serverless Security by Ranga Vangara

Avatar for edgeroute

edgeroute

March 30, 2018

Transcript

  1. Vinay Bansal, Principal Security Architect, Cisco Systems Ranga Vangara, Technical

    Leader, Cisco Systems Oct, 2017 Securing the Serverless Workloads in Cloud
  2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda • What is Serverless? • Serverless Architecture • Security Responsibility Model • Threat Model • Securing Serverless • Best Practices
  3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Build and run applications without thinking of servers What is Serverless? AWS Lambda Google Azure Functions Virtual Machines Containers Serverless Compute Physical Machines SSH
  4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Trend - Serverless Leapfrogging Containers AWS Lambda Google Azure Functions Virtual Machines Containers Serverless Compute
  5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Example: Serverless- Thumbnail Image Creation Reference: https://www.bypeopletechnologies.com/blog/2017/05/01/serverless-image-resizing-aws-lambda-and-aws-s3/
  6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Tenant is free from managing the back-end servers/containers • Tenant provides the function, and the triggers. • Provider/Platform manages the lifecycle of the execution. Serverless Advantages AWS Lambda OpenWhisk Azure Function GCP Function IBM Function
  7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Serverless Architecture Environment Registry Container Pool API Gateway VM/Host Runtime User Serverless Backend
  8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Shared Responsibility Model (Cloud) Data Center Platform Services Compute Storage Networking Virtual Machines /Containers Apps • Web/App/DB Server • User Accounts • Operating System • Access Control • Physical Security • Infrastructure Security • Identity • Access Control Cloud Provider Tenant Operations Data Registration Support Billing • Tenant data collected to provide service Customer/ Tenant Data • Integrity • Encryption • Data that tenant processes/ brings/ collects Cloud Provider Responsible for the security of the Cloud Tenant Responsible for the security In the Cloud Responsibility Tenant
  9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Shared Responsibility Model (Serverless) Provider Tenant OS Security (Hardening/Patching) Physical Security Container and VM (Hardening/Patching) Language Runtime (Standard Libraries/Versions) Tenant Isolation Enforcement of Authorization Policies Application Code Data Security (Rest/Transit) Credentials/Secret Management Configuration/Policies/Authorization Roles
  10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Difference Between Pictures Reference: McDonald , Cooking Contest
  11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • De-coupled, and Asynchronous design • Distributed Over Public Internet • Smaller, Time bound tasks • Messaging Based • Event based Triggers • Encourages Micro-services Architecture Serverless Based Architecture
  12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Example: Serverless Audit Engine in AWS Runs every 24 hours table Dynamo DB Security Assessment Results Amazon API Gateway AWS Lambda Security Audit Functions Cross Account Security Audit Role AWS Tenant Accounts Risk Management System (Jira) Nightly Reports email Real Time Integration queue Amazon SQS Audit Account
  13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Serverless Security Threats AWS Lambda Google Azure Functions Serverless 1. Application Vulnerabilities (OWASP) 2. Weak Credentials Management 3. Insecure Configurations 4. Third Party Packages (unpatched) 5. Distributed Denial of Service
  14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Secure Coding/Development • Input Validation (libraries) • Static Code Analysis • Application Vulnerability Scanning • Web Application Firewall 1. Application Vulnerabilities
  15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Credentials are misused to gain unauthorized access Mitigation • Remove hard-coded and default credentials • Credentials in scripts and source code repositories • Credentials in Docker repositories • Use Role based Access • No need to manage credentials • 3rd party integration credential • Use Key/Secret Management Service 2. Credential Management
  16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Example: IAM Based Authorization for Lambda (AWS)
  17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Secure the messaging (E.g. SNS, SQS) • Proper access control for each component • Secure the triggers • E.g. of insecure trigger: Misconfiguring an SNS to be public and triggering an action 3. Secure Configurations
  18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Responsible for third party packages • Use latest versions • Keep patched • Trusted third party package supply • Keep Inventory 4. Secure Third Party Packages
  19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Serveless is exposed via APIs • Rate Limiting • Horizontal Scaling • Billing Alerts • Incorporate defense-in-depth concepts • Leverage WAF, IAM Roles, KMS Encryption, VPC Endpoints • AWS Shield for limited insurance. 5. Distributed Denial of Service Protection
  20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Example: Enforce Quota/Usage to Minimize DDOS
  21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • DDoS might have a different impact to your wallet unless there is alerting setup and action on it. • Setup Alerts for unusual billing activity • If possible guard against these by rate controls • See if there is an insurance scheme kind of thing to protect against unexpected heavy charges. E.g. AWS Shield. Billing Alert
  22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Best Practice: Security Automation via CI/CD Code Build Test Deploy Operate /Maintain Secure Coding Practices Security Testing Static Code Analysis Secure Code Repo Infra as Code (Code all the Roles, Policies, etc.) Secure Build Servers Secure Build Secrets Static Code Analysis Use trusted 3rd party libs, tools Security Testing Dynamic Analysis Secure Deployment Secrets Secure Deployment Servers, storage buckets, Rate Control the APIs Deployment Policies Continuously Monitor Incidence Response
  23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Short Lived Serveless Functions • Unlike traditional environment, If compromised, the container is not going to be there long enough for backdoors • Debugging, forensics will be difficult as the environment is completely torn once the function exits • Function Asset Tagging for Attribution • Decommissioning, Function Sprawl, Ownership, Dependency tracking Logging and Monitoring Challenges
  24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Build good logging and auditing functionality • If an incident happens, these are the main artifacts available unlike in traditional environment where we can login to the host and collect more information. • Filter events, and setup alarms on any unusual activity Best Practice: Logging and Monitoring
  25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Public • Serverless Functions, New Norm • Understand Responsibility Model • Provider Responsibility - Manage and Secure Servers/OS • Tenant Responsibility I. Application Security II. Credentials Management III. Secure Configurations IV. Third Party Packages V. Distributed Denial of Service • Best Practices • Secure CI/CD Pipeline • Logging and Monitoring Summary