Security is a shared responsibility between the cloud provider and the customer. This shared model can help relieve customer’s operational burden as cloud providers operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

Up until recently, when deploying applications on infrastructure-as-a-service (IaaS) platforms, the customer assumed responsibility and management of the guest operating system, including updates and security patches, associated application software, and configuration of the network firewalls in the cloud. With virtual instances, customers need to carefully consider the services they chose as their responsibilities depending on the services used, the integration of those services into the IT environment, and applicable laws and regulations.

With the introduction of serverless computing (also known as FaaS, or function-as-a-service), security shifted even more towards cloud providers by allowing organizations to offload many more tasks in order to concentrate on their core business. But just how much do companies really gain by offloading security duties to the cloud? Let’s do the math.

Core Requirements: Physical to Application Security 
The items below are listed bottom-up, starting with physical security, all the way up to the application layer.

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems
• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection
• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection
• Detect and fix vulnerabilities in third-party dependencies
• Use least-privileged IAM roles and permissions
• Enforce legitimate application behavior
• Data leak prevention
• Scan code and configurations statically during development
• Maintain serverless/cloud asset inventory
• Remove obsolete/unused cloud services and functions
• Continuously monitor errors and security incidents

IaaS: Provider vs. Customer

When developing applications on IaaS, the security responsibilities are roughly divided as follows:

Cloud Provider Responsibility

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems

Customer Responsibility

• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection
• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection

Serverless (FaaS): Provider vs. Customer

How responsibilities are divided when developing applications on serverless architectures:

Cloud Provider Responsibility

• Physical infrastructure, access restrictions to physical perimeter and hardware
• Secure configuration of infrastructure devices and systems
• Regularly testing the security of all systems/processes (OS, services)
• Identification and authentication of access to systems (OS, services)
• Patching and fixing flaws in OS
• Hardening OS and services
• Protecting all systems against malware and backdoors
• Patching and fixing flaws in runtime environment and related software packages
• Exploit prevention and memory protection
• Network segmentation
• Tracking and monitoring all network resources and access
• Installation and maintenance of network firewalls
• Network-layer DoS protection

Customer Responsibility

• Authentication of users
• Authorization controls when accessing application and data
• Log and maintain audit trails of all access to application and data
• Deploy an application layer firewall for event-data inspection
• Detect and fix vulnerabilities in third-party dependencies
• Use least-privileged IAM roles and permissions
• Enforce legitimate application behavior
• Data leak prevention
• Scan code and configurations statically during development
• Maintain serverless/cloud asset inventory
• Remove obsolete/unused cloud services and functions
• Continuously monitor errors and security incidents

FaaS vs. SaaS?
Not all tasks and requirements are created equal — and some of those I’ve included are obviously more resource and budget intensive than others. If you disagree with my methodology or conclusions, please share your thoughts in the comments.

Related Content:

• 6 Cloud Security Predictions for 2019
• Serverless Architectures: A Paradigm Shift in Application Security
• Securing Serverless: Attacking an AWS Account via a Lambda Function

Ory Segal is a world-renowned expert in application security, with 20 years of experience in the field. Ory is the CTO and co-founder of PureSec, a start-up that enables organizations to secure serverless applications. Prior to PureSec, Ory was senior director of threat … View Full Bio