Serverless environments offer a new paradigm to organizations in their cloud modernization journeys. These environments run on an as-a-code function that allows users to build and run applications without relying on server management. With the as-a-code computing function, developers can keep their operations separate from server and infrastructure management. However, servers can be called and assigned based on requests transforming these environments into a Function-as-a-Service (FaaS) cloud computing model. The problem with this FaaS-based serverless model is the complex security vulnerabilities that could be transmitted to the cloud infrastructure provider — AWS, Google Cloud, IBM, or Microsoft Azure. Most cloud service providers develop serverless environments using code without utilizing servers. However, due to broken codes, the application may become exposed to common vulnerabilities such as DoS, XSS, Command/ SQL injection, and others. Therefore, despite serverless security protocols, computing environments are still vulnerable to risks that could be beyond the reach and vision of the IT and Cloud security managers. The latest Google Cloud Threat Horizons Report identified the biggest threats and challenges met by cloud defenders working at the serverless frontlines.

Here are the key takeaways from the serverless environment threat report.

#1 Threat actors target cloud systems with weak credentials and misconfigured setups

The omnipresent threat of a cybersecurity attack looms large on every business. The latest IT outage is a great example of how things could go awry with a single accident, irrespective of setting up the best practices and frameworks.

Threat actors used weak or no credentials as a vector to launch malicious activity in a poorly configured environment. 47.2% of vector cases were linked to credentials, followed by misconfiguration (30.3%). Serverless architecture managers face attacks from multiple points, including during penetration testing where attackers are motivated by DNS tunneling and crytojacking attempts. Google Cloud report found that 58.8% of attacks originated from crypto miner instances, followed by lateral movement (23.5%) and DoS (5.9%).

Latest IT and Cybersecurity Insights: How to Optimize Website Performance Using Content Delivery Networks (CDNs)

Recommendation:

The report highlights the importance of secured authentication methods, such as MFAs and cryptomining protection programs to defend the environment. Multi-cloud security solutions like Google Secure Command Center provide posture management and threat detection for different instances.

#2 Hard-coded and clear-text secrets

Hard-coded passwords, embedded API keys, and database credentials pose major risks to serverless environments. All it takes to access clear-text credentials stored in function code or variables is exposure or compromises. Threat actors such as UNC2465, UNC4713, and APT41 utilize serverless infrastructure for malware distribution or Command and Control (C2) communication.

While the code is executed in short-lived containers for serverless computing, finding vulnerabilities within these codes becomes difficult. Attackers use this loophole to move “laterally” to other cloud infrastructure, gaining a stronger foothold to access data.

#3 How does BaaS become a can of worms?

Serverless operations use BaaS platforms for functionality. Cloud developers expect secured storage and app data management using software codes within the BaaS environment. However, misconfigured or insecure BaaS API endpoints could inadvertently lead to uncontrolled data exposure.

Recommendation:

The Google Security team recommended establishing and maintaining BaaS security baselines to set up default configurations, access controls, encryption, and automated security reviews.

Top Cybersecurity Insights: The Role Of Cybersecurity In B2B Marketing

#4 Threat actors spread malware using serverless cloud services

Advanced attackers have a laser-gun targeting tactic for exploiting the vulnerabilities in serverless cloud environments. In addition to hypervisor DoS attacks and live migration risks, threat actors quickly pounce on the misconfigured and weak credentials stored with serverless functions. Risks seep deep into the Cloud resources through malware. These malware are introduced via communication channels using phishing pages and malicious scripts or codes. These abuse tactics are found on all cloud services such as Google Cloud, AWS, Cloudflare, Azure, and others.

The report named these threat actors:

• Astaroth infostealer
• PINEAPPLE
• FLUXROOT

Remediations

Apply the “Least Privilege Principles” for identities and permissions restricted to a limited set of users and administrators

Set up software update and malware detection tools with public and private cloud defenders

Monitor workplace collaboration tools for password leaks and shared credentials

Configure automated network settings to control ingress and egress to and from users and developers

Utilize secure techniques for service authentication

Set up best security practices for serverless environments with culture-driven cybersecurity leadership training programs for all stakeholders, including partners and customers

Frequently-asked Questions (FAQs)

What is a serverless environment?

According to Red Hat, serverless is a cloud computing DevOps model deployed in containers. It is used for building and running applications without managing servers.

What are the different categories of serverless computing?

Serverless computing solutions are categorized into two groups:

• Backend-as-a-Service (BaaS)
• Function-as-a-Service (FaaS)

By default, serverless means FaaS offerings.

What are typical serverless examples in the cloud service industry?

Top serverless examples are AWS Lambda, Google Cloud Functions, Microsoft Azure Functions, and IBM Cloud Code Engine.

Which languages does serverless support?

Most languages are supported in serverless frameworks. These include Python, Node.js, Java, and others.

How can DevOps teams deal with insecure authentication in serverless?

IT and security teams can use the cloud service provider’s access control solutions. These include OAuth, OIDC, SAML, OpenID Connect, and MFA.

How is serverless different from PaaS?

Both PaaS and Serverless computing run on no-server management foundations. Both backends are invisible to the developers. Here are the three major differences between PaaS and serverless:

1. PaaS provides more control over the deployment environment than serverless.
2. Serverless applications run only when they are requested or invoked. For PaaS-based applications, it takes some time to run.
3. Applications scale automatically on serverless, unlike in PaaS.

What are hardcoded passwords?

We referred to numerous IT and cybersecurity resources before choosing the best to answer this FAQ about serverless environment threat remediation. This definition by BeyondTrust made it to our article here.

BeyondTrust says hardcoded passwords or embedded credentials are non-encrypted text passwords and secrets. These passwords pose considerable cybersecurity risk to serverless applications.

To contribute to our editorial and insights, please write to us at [email protected]