Serverless and PaaS Security with CloudPassage Halo


This post was originally published by CloudPassage.

In our previous blog, we introduced the Gartner report “Security Considerations and Best Practices for Securing Serverless PaaS”1 which discusses the challenges security teams face securing serverless and PaaS services, along with the best practices Gartner recommends to address those challenges. This post explores how CloudPassage Halo unifies and automates security and compliance to provide a single-platform solution for serverless and PaaS security. You’ll also discover how Halo offers the same levels of control and automation whether you’re securing IaaS, serverless, PaaS, or containers across any public, hybrid, or multi-cloud environment.

You can also download the Gartner report for more background.

Serverless and PaaS Defined

As cloud provider services mature, they are continually adding serverless and PaaS options that offer highly scalable and robust options for compute, database, object storage, runtime, containerization, and more. Development and product delivery teams have moved to serverless frameworks for their promise of rapid adoption, minimal operational burden, and cost-effectiveness at any scale. For even faster feature adoption and less operational overhead, organizations are now employing Platform-as-a-Service (PaaS) installations as well.

Serverless and PaaS Security starts with identifying the services that need to be secured

Figure 1: Examples of commonly used serverless and PaaS services by function and provider

The Challenges of Serverless and PaaS Security

In traditional data center environments, every aspect of infrastructure is owned and accessible, allowing for total control over all aspects of information security. In IaaS environments, the shared responsibility model for security offloads some of these aspects to the infrastructure provider, including virtualization and physical host, networking, and datacenter security.

The platform as a service (PaaS) model takes the abstraction of security responsibilities a step further, with the PaaS provider addressing configuration of infrastructure platforms like DNS, database, message queues, and more. In the PaaS model, the user’s configuration requirements are restricted in scope compared to the IaaS model. There are no operating systems or platform software components to configure, since these are functions of the PaaS provider. The PaaS control plane provides the extent of configuration options available to the user.

With resource configuration limited to the control plane, security becomes a matter of best-practice configuration. Security and compliance teams responsible for PaaS environments often do not have the same level of visibility into PaaS resource configurations, which is exacerbated by the speed with which PaaS services can be instantiated and changed, usually without traditional change control. Given that misconfiguration is the primary security concern with serverless and PaaS resources, automation that can validate PaaS configuration security at the speed and scale of cloud is an enterprise-wide imperative.

Halo Provides Best-Practice Serverless and PaaS Security

Meeting challenges for serverless and PaaS security means rethinking your approach to security, including the tools you use. Legacy data center tools—and even cloud-specific point solutions—usually fall short in their ability to protect complex networks of serverless and PaaS resources. Legacy solutions lack the features necessary to implement security at the control plane, and point products form a complex tangle of features that are bolted on and stitched together. The resulting gaps and blind spots, which are often found the hard way, can lead to costly front-page breaches.

Halo provides best-practice serverless and PaaS security in two ways:

  • As an integrated service that provides agentless cloud security for common serverless and PaaS services offered by AWS, Azure, and GCP
  • Through a comprehensive API that provides the ability to implement agentless security for cloud-based PaaS services and resources

Halo enables you to automate the process of quickly identifying and closing configuration weaknesses and ensuring best-practice configuration for all cloud assets, including serverless and PaaS.

With Halo, you can implement the Gartner report serverless and PaaS best practices for your assets by:

  • Achieving a cloud-native mindset through automation
  • Laying the foundation for secure serverless and PaaS
  • Enabling security in DevOps through automation

Achieve a Secure Cloud-Native Mindest

Serverless and PaaS adoption challenges organizations to rethink asset ownership, roles, responsibilities, and culture. Automation of security best practices can cut through much of the confusion and enforce compliance no matter how fast the environment changes or moves. Gartner states, “Security and risk professionals should focus on end-to-end visibility, compliance and protection of workloads across all the ways that cloud-native services will be interconnected.1” This includes serverless and PaaS, along with IaaS, virtualized environments, workloads, containers, and more.

Halo offers a single security platform across all environments, regardless of form factor, while also providing deep integration capabilities through a comprehensive API. With consistent security that encompasses all assets, your organizational culture can shift toward a secure cloud-native mindset that enables automated secure, compliant application delivery.

Lay the Foundation for Serverless and PaaS Security

The Gartner report provides best-practice patterns that “provide the secure foundation on which serverless code will be developed and placed into production.1 CloudPassage Halo eliminates point solutions and replaces legacy data center security solutions with a single, unified cloud security platform that provides security for all assets, including serverless and PaaS. Halo can be used to address specific best practices detailed in the Gartner report that, when followed, lay the groundwork for a secure serverless and PaaS development environment, including:

Automated asset inventory and interrogation

By automating asset inventory and interrogation across your cloud environments, you can stay on top of new and changing resources, including serverless and PaaS. This reduces the chance of security gaps and blind spots while providing rapid, real-time response capabilities for issue remediation.

Continuous compliance management

With an automated, unified platform, compliance becomes a matter of continuous improvement rather than an eleventh-hour fire drill before the audit. Compliance with standards and best practices becomes a baked-in—not bolted on—part of serverless and PaaS configuration, operation, and administration, and automated feedback allows for real-time remediation and compliance monitoring so that issues get handled with maximum efficiency.

Enable Security in DevOps Through Automation

In their report, Gartner discusses the concept of secure DevOps. This can include a spectrum of approaches, from embedding security responsibilities into a DevOps team to full-blown DevSecOps.

Once you have consistent security across all infrastructure resources—including PaaS and serverless—you have paved the road for integrating security with DevOps. However, DevOps is all about speed. They’re not going to adopt security automation unless it fits seamlessly into their existing workflows and works at the same speed that they’re accustomed to for rapid, CICD delivery. Gartner states, “All the vulnerability and configuration scanning above should be implemented automatically and transparently to the developer. This will be achieved by using APIs into security scanning tools and by native integration with the developer’s continuous integration/continuous delivery (CI/CD) pipeline.1

Halo security automation integrates seamlessly with common DevOps tools, including Jenkins, JFrog Artifactory, Puppet, Chef, and more. With Halo, you can:

  • “Shift left” to automate vulnerability and compliance scanning as part of every development cycle
  • Accelerate deployment of secure code coming out of the CICD pipeline
  • Extend security response into development and operations by automating alerts and threat detection and putting notifications in front of system owners using existing workflows and DevOps tools

Read more here:


No posts to display