Set up Panoptica in your own Kubernetes environment—in minutes.
If you’re a developer working in a cloud environment, there’s a good chance that you’ve either started thinking about serverless computing or have already started to deploy it. And why not? Unlike VMs or container clusters, serverless functions allow you to delegate infrastructure management to the cloud provider, freeing you to do what you do best—development. They’re “pay-as-you-go” (sort of like taking an Uber right when you need it instead of buying or renting a car). Cool stuff.
The Cloud Native Computing Foundation (CNCF) defines serverless computing as “the concept of building and running applications that do not require server management. It describes a finer-grained deployment model where applications, bundled as one or more functions, are uploaded to a platform and then executed, scaled, and billed in response to the exact demand needed at the moment.”
There are two main types of serverless functions: Functions-as-a-Service, which is event driven (triggered by events or HTTPS requests) and Backend-as-a-Service, which are third-party and API based and can offer core sets of functionalities. Both types confer the advantage of flexible scalability and the fact that you don’t pay for computing resources when they’re not in use.
When should you consider using serverless functions?
A CNCF whitepaper suggests the following use cases as optimal for serverless:
Despite its benefits, serverless computing comes with a few downsides, with security topping the list. While it’s true that serverless computing shifts some of the security burden on to the cloud providers (such as patching, configuring infrastructure, and setting up account management), it also means that you have less visibility, making it more difficult to identify vulnerabilities or detect attacks. Their ephemeral nature complicates the problem even more. Traditional security approaches are often inadequate here. Serverless functions often violate legacy security controls and pave the way for vulnerabilities.
Here are just a few of the types of threats posed by serverless functions:
The bottom line is that while serverless computing offers many valid benefits, you’ll need a security solution in place to ensure that the risks won’t outweigh them.
As we discussed earlier, one of the problems with securing serverless functions is that they are ephemeral, making them hard to monitor and making security problems difficult to diagnose. One way to approach this is to implement policies and permissions that can be extended across your entire environment.
For example, you might want to define a policy that requires every function to have adequate authorization or that it does not expose secrets or sensitive data. If you were able to detect serverless functions that violated these policies, you could potentially kill them before they presented unacceptable risks. If you were able to automatically apply this policy across your entire environment, you’d ensure consistent security and significantly lower your risk profile.
Panoptica lets you do just that.
Here’s how it works: after connecting it to your cloud account*, Panoptica scans your serverless functions for security issues and vulnerabilities and gives them an internal risk score, ranking them based on the score. The score takes the following into account:
You can manually trigger a scan at any time, or you can schedule scans to be run at regular intervals. The scan will check all functions in the account (the specific region) and indicate findings in the Functions tab (see illustration, below). The scan is done in the user's cloud account (using a function added to the account when the account is added). The function code is not examined and does not leave the account.
You can configure the policies, customizing the types of risks that apply to your environment. If Panoptica’s risk score rises to an unacceptable level, you can set it to kill the process and alert you—letting you know exactly which serverless function triggered the alert. You can drill down to show details, including security risks (aggregated risk score) and known code-vulnerability findings (see illustration, below). Pretty slick.
Ready to learn more about Panoptica, including its serverless security features? Check out a quick point-and-click demo. If you have a Kubernetes cluster installed anywhere you can try out Panoptica’s free tier (no credit-card required—go to the Panoptica website and click on the “Sign Up” button in the top right corner of the page) and use our Quick Start to connect Panoptica to your cluster. No cluster? No problem! Play in our Sandbox, which will help you connect to a pre-defined cluster and lead you through the various features, including serverless security.
*While Panoptica currently only supports AWS Lambda, it will soon also be available for Microsoft Azure Function and Google Cloud Function.