While the rise of serverless computing has added new simplicity and efficiency to business operations, the separation of security duties between the cloud provider and the application built on top of it has opened a new array of security issues.
To learn more about how businesses are addressing shadow APIs, denial-of-wallet and other cybersecurity threats designed to exploit serverless computing, we turned to Joaquin Madruga, who serves as engineering director at Cloudflare. His team oversees Cloudflare Workers, a serverless platform that runs across more than 200 cities worldwide. Customers use the platform to deploy and protect their own serverless applications, complete with edge storage and automatic traffic routing to balance the load across multiple servers.
“With serverless, you’re handing over a lot of the drudgery of patching operating systems and system software to your provider,” Madruga said. “This enables you to focus on building and securing your applications.”
With new technology underpinning critical systems, Madruga said transparency across the industry is key right now. Security audits, bug bounties and blog posts summarizing security issues and deployed fixes are all part of his team’s processes.
What are a few of the internal best practices your team follows to secure your customers’ serverless deployments?
Cloudflare is a security company, so security is top of mind in everything we do. This is never an afterthought. We make sure that our platform is secure at scale, so that applications can be deployed across the globe with no worries — not only in regard to performance, but also security at that scale. There are no tradeoffs between security and performance, and vice versa. Before Infrastructure-as-a-Service became common, people spent a lot of time planning and deploying physical infrastructure as part of their development process for a new service. Serverless is a further step in that evolution. At Cloudflare, we build and operate a service that’s focused on not only securing and provisioning physical infrastructure but also all of the software that applications run on. In short, we handle substantial portions of the stack that application developers would normally manage.
We blog publicly in detail about issues we’ve identified, the impacts and how we fixed them.”
What training or knowledge-sharing had to take place to get your developers familiar with both the risks and the practices that can minimize them?
As we’re focused on the entire stack, including hardware and software, we have teams that are focused on securing our infrastructure, including both physical hardware and our global network. We have a security team that audits software and provides training along with a bug bounty program for people to report any issues they find. At Cloudflare, we value true transparency. We blog publicly in detail about issues we’ve identified, the impacts and how we fixed them. We believe a security organization like Cloudflare needs to be honest and transparent in everything we do.
What advice do you have for other engineers who are making the transition to a serverless architecture and are concerned about security risks?
Security should never be an afterthought. Serverless architectures help application developers focus on their code and not worry about infrastructure. Maintaining solid software development practices such as writing modular code and not mixing concerns in overly complex functions will go a long way to make sure you’re able to audit your code for vulnerabilities.
Use the features your serverless provider gives you to establish a fine grain access policy for managing deployments. Treat API keys and API tokens as credentials; don’t check them into repositories and make sure you have a way to store them securely. With serverless, you’re handing over a lot of the drudgery of patching operating systems and system software to your provider. This enables you to focus on building and securing your applications.