This post was originally published by CloudPassage.
In our previous blog, we introduced the Gartner report āSecurity Considerations and Best Practices for Securing Serverless PaaSā1Ā which discusses the challenges security teams face securing serverless and PaaS services, along with the best practices Gartner recommends to address those challenges. This post explores how CloudPassage Halo unifies and automates security and compliance to provide a single-platform solution for serverless and PaaS security. Youāll also discover how Halo offers the same levels of control and automation whether youāre securing IaaS, serverless, PaaS, or containers across any public, hybrid, or multi-cloud environment.
You can also download theĀ Gartner reportĀ for more background.
Serverless and PaaS Defined
As cloud provider services mature, they are continually adding serverless and PaaS options that offer highly scalable and robust options for compute, database, object storage, runtime, containerization, and more. Development and product delivery teams have moved to serverless frameworks for their promise of rapid adoption, minimal operational burden, and cost-effectiveness at any scale. For even faster feature adoption and less operational overhead, organizations are now employing Platform-as-a-Service (PaaS) installations as well.
The Challenges of Serverless and PaaS Security
In traditional data center environments, every aspect of infrastructure is owned and accessible, allowing for total control over all aspects of information security. In IaaS environments, theĀ shared responsibility modelĀ for security offloads some of these aspects to the infrastructure provider, including virtualization and physical host, networking, and datacenter security.
The platform as a service (PaaS) model takes the abstraction of security responsibilities a step further, with the PaaS provider addressing configuration of infrastructure platforms like DNS, database, message queues, and more. In the PaaS model, the userās configuration requirements are restricted in scope compared to the IaaS model. There are no operating systems or platform software components to configure, since these are functions of the PaaS provider. The PaaS control plane provides the extent of configuration options available to the user.
With resource configuration limited to the control plane, security becomes a matter of best-practice configuration. Security and compliance teams responsible for PaaS environments often do not have the same level of visibility into PaaS resource configurations, which is exacerbated by the speed with which PaaS services can be instantiated and changed, usually without traditional change control. Given that misconfiguration is the primary security concern with serverless and PaaS resources, automation that can validate PaaS configuration security at the speed and scale of cloud is an enterprise-wide imperative.
Halo Provides Best-Practice Serverless and PaaS Security
Meeting challenges for serverless and PaaS security means rethinking your approach to security, including the tools you use. Legacy data center toolsāand even cloud-specific point solutionsāusually fall short in their ability to protect complex networks of serverless and PaaS resources. Legacy solutions lack the features necessary to implement security at the control plane, and point products form a complex tangle of features that are bolted on and stitched together. The resulting gaps and blind spots, which are often found the hard way, can lead to costly front-page breaches.
Halo provides best-practice serverless and PaaS security in two ways:
- As an integrated service that provides agentless cloud security for common serverless and PaaS services offered by AWS, Azure, and GCP
- Through a comprehensive API that provides the ability to implement agentless security for cloud-based PaaS services and resources
Halo enables you to automate the process of quickly identifying and closing configuration weaknesses and ensuring best-practice configuration for all cloud assets, including serverless and PaaS.
With Halo, you can implement the Gartner report serverless and PaaS best practices for your assets by:
- Achieving a cloud-native mindset through automation
- Laying the foundation for secure serverless and PaaS
- Enabling security in DevOps through automation
Achieve a Secure Cloud-Native Mindest
Serverless and PaaS adoption challenges organizations to rethink asset ownership, roles, responsibilities, and culture. Automation of security best practices can cut through much of the confusion and enforce compliance no matter how fast the environment changes or moves. Gartner states, āSecurity and risk professionals should focus on end-to-end visibility, compliance and protection of workloads across all the ways that cloud-native services will be interconnected.1āĀ This includes serverless and PaaS, along with IaaS, virtualized environments, workloads, containers, and more.
Halo offers a single security platform across all environments, regardless of form factor, while also providing deep integration capabilities through a comprehensive API. With consistent security that encompasses all assets, your organizational culture can shift toward a secure cloud-native mindset that enables automated secure, compliant application delivery.
Lay the Foundation for Serverless and PaaS Security
The Gartner report provides best-practice patterns that āprovide the secure foundation on which serverless code will be developed and placed into production.1āĀ CloudPassage Halo eliminates point solutions and replaces legacy data center security solutions with a single, unified cloud security platform that provides security for all assets, including serverless and PaaS. Halo can be used to address specific best practices detailed in the Gartner report that, when followed, lay the groundwork for a secure serverless and PaaS development environment, including:
Automated asset inventory and interrogation
By automating asset inventory and interrogation across your cloud environments, you can stay on top of new and changing resources, including serverless and PaaS. This reduces the chance of security gaps and blind spots while providing rapid, real-time response capabilities for issue remediation.
Continuous compliance management
With an automated, unified platform, compliance becomes a matter of continuous improvement rather than an eleventh-hour fire drill before the audit. Compliance with standards and best practices becomes a baked-inānot bolted onāpart of serverless and PaaS configuration, operation, and administration, and automated feedback allows for real-time remediation and compliance monitoring so that issues get handled with maximum efficiency.
Enable Security in DevOps Through Automation
In their report, Gartner discusses the concept of secure DevOps. This can include a spectrum of approaches, from embedding security responsibilities into a DevOps team to full-blown DevSecOps.
Once you have consistent security across all infrastructure resourcesāincluding PaaS and serverlessāyou have paved the road for integrating security with DevOps. However, DevOps is all about speed. Theyāre not going to adopt security automation unless it fits seamlessly into their existing workflows and works at the same speed that theyāre accustomed to for rapid, CICD delivery. Gartner states, āAll the vulnerability and configuration scanning above should be implemented automatically and transparently to the developer. This will be achieved by using APIs into security scanning tools and by native integration with the developerās continuous integration/continuous delivery (CI/CD) pipeline.1ā
Halo security automation integrates seamlessly with common DevOps tools, including Jenkins, JFrog Artifactory, Puppet, Chef, and more. With Halo, you can:
- āShift leftā to automate vulnerability and compliance scanning as part of every development cycle
- Accelerate deployment of secure code coming out of the CICD pipeline
- Extend security response into development and operations by automating alerts and threat detection and putting notifications in front of system owners using existing workflows and DevOps tools
Read more here: https://www.cloudpassage.com/