1. var bob = new Person();
2. bob.sayHello();
3. bob.wave();
##################################################################################################################
##################################################################################################################
4. var cup = new Coffee();
5. bob.drink(cup);
6. var cupTwo = new Coffee();
Serverless/Serviceful architecture could be said to be the art/science of constructing systems that deliver business value fast whilst incurring the lowest possible management overhead. Why am I starting a post about security with this statement? Well, as far as I’m concerned, this optimizes for a lot of security concerns too.
Let’s take the classic example of a Serverless service, the Function-as-a-Service platform. In Azure’s case this means Azure Functions. What security concerns are there? Well, if you read the OWASP report, you can see there’s some around SQL injection etc, but basically there’s none that are serverlesss specific - they are all generic application logic problems. That’s encouraging in itself. For me there are two key ways that Azure Functions are more secure than other ways of doing compute on Azure, or in general:
There’s another reason serverless/serviceful approaches are more secure too. In my second book, I show you how to use Azure Active Directory B2C to implement a login flow. Managing logins is a very dicey problem to solve yourself, as there are a bunch of ways you can get it wrong, beyond the usual of storing passwords in plaintext in a SQL server that still has the Server Admin role on it. In a serverless/serviceful approach, you simply use the service and don’t expose yourself to the possible security concerns caused by faulty application logic.
I see a lot of people creating application diagrams and thinking, ‘I need this to be secure. I’ll wrap it in a Virtual Network with a firewall around it - that’ll sort it’. They then block off all traffic except for from the companies internal network. There’s some key issues I have with this. For a start it can instantly be the death of serverless approaches, due to their general lack of a fixed network presence. In the old days of the on-prem world it was very difficult to harden each application, so wrapping the entire datacenter in a firewall with a small hardened DMZ was the best approach. These days, implementing Azure Active Directory authentication for every application on Azure is almost trivial. Most services now come with active monitoring for malicious activity, like Azure SQL PaaS. You can also user something like Azure Front Door or Akamai for DDoS protection. This means it is now straightforward to harden each individual component.
So now that its easier to harden each component, what role does the firewall play? Well evidently in terms of making life more difficult for an attacker, defence in depth is a good principle - so why not put a firewall in as well as the AAD integration and active malicious use monitoring? Well there’s actually quite a few reasons why you might not want to and why doing so may actually weaken your security:
There is a setting on Azure Virtual Networks which lets you ‘allow access to Azure Services’. If you tick this, you don’t need a Virtual Network with firewall. How do I know this? It opens the app to entirety of the Azure data centre - if you really needed a firewall you wouldn’t open access to any mid-twenties bloke in the U.K. (me!) with an Azure account.
This is the first cut of a number of ideas that have been rolling around in my head for a while - it definitely shouldn’t be treated as definitive. I hope it helps people debating serverless security approaches.
© 2022 - Built by Daniel Bass