There is a technology that is present in the execution of almost all the activities we carry out on the Internet: cloud computing. Cloud storage consists of storing information managed by an organization or company on servers external to it and to which the company itself can access at any time and remotely. For example, when you access your banking information you are using cloud computing without realizing it.

Cloud computing has given companies greater storage capacity and computing power. Only in Spain, in the first quarter of 2021, 32.4% of organizations with 10 or more employees purchased cloud services, according to the Survey on the use of ICT and electronic commerce in companies. These data show that today’s companies are always looking for new ways to improve their processes improve their productivity and reduce the costs of deploying and managing their applications and/or services. As is the case, the use of the cloud, since it offers greater security for your dataas well as greater performance .

In this scenario, in recent years there has also begun to talk about a new computing paradigm: serverless computing or computing without a server. Contrary to what it means, it is not a serverless architecture, but software developers -those responsible for deploying applications in the cloud, which could be considered customers of the cloud provider (Amazon, Google, Salesforce, etc.-, they don’t have to worry about configuring or managing the servers because those tasks are taken care of by the cloud provider.

Even though this serverless computing has been on the market for years, it has not been until now that it has reached its peak. From Telefónica’s Research area, Eduard Marin, together with other people, investigates the benefits and disadvantages that this type of technology can bring to companies. “ Our goal is to significantly advance the state of the art to make serverless computing much more secure than it is now,” says Eduard.

What is serverless computing?

When we mention serverless computing, we are referring to a new paradigm that in the future is likely to become the dominant way to deploy applications in the cloud. Applying edge computing, that is, when we bring the processing as close as possible to where the data is being generated.

In serverless computing, application logic is broken down into a set of small, ephemeral, stateless functions that communicate with each other and with various cloud services (for example, storage services) to accomplish their tasks. Today’s serverless architectures are often event-driven. In this way, functions can be executed on receipt of a wide range of events. As happens when new data is added to a database, when receiving an email, or when obtaining a new measurement from a sensor, among others.

The serverless computing model separates itself from monolithic systems and microservices, offering a form of payment for the resources that each application consumes. This is a noticeable difference from previous cloud models, where users pay a fixed amount for the resources allocated (regardless of the resources the application consumes). In addition, this ecosystem is developed according to the needs of the organization, so it is not necessary to make a large outlay of capital. Currently, there is a lot of research that is focused on analyzing the properties that serverless offers and improving it further to be able to support a greater number of applications. Our work focuses on investigating the security offered by this serverless model.

2 models of serverless computing

Along these lines, thanks to the effectiveness of the serverless method, today we can distinguish between two types of architectures: Function as a Service (FaaS) and Backend as a Service (BaaS).

  • BaaS is a service that automates back-end development, through third-party services and applications. The central idea behind BaaS is to offer software developers a set of services and tools (databases, APIs, file storage, etc.) to facilitate and speed up the development of mobile and web applications.
  • FaaS is a model that focuses on allowing software developers to deploy and run their functions in the cloud. Here, the functions can also use additional services, such as those offered in BaaS. At the moment, FaaS is considered the most dominant serverless model.

Advantages of implementing a serverless computing model

The implementation of serverless computing offers numerous advantages to the user. Some of them we have already mentioned throughout the article, others are the following:

  • The serverless model allows software developers to outsource all infrastructure management as well as operational tasks to cloud providers, allowing them to focus on writing the code for their applications.
  • It follows a pay – as-you-go model, that is, it is only charged based on the resources consumed.
  • It offers fast, unlimited automatic scaling of resources up and down to match demand, from zero to virtual infinity.

    Green computing or green computing

    Green computing stands out among the benefits of integrating this type of architecture. A new paradigm arises to execute a greater optimization of computing resources in companies but with the least possible impact on the environment.

    Coping with climate change by reducing energy consumption, the carbon footprint, etc., has become one of the main concerns of society. Microsoft, for example, has taken action on the matter with the launch of a data center, where most of the energy comes from renewable sources.

    Security in the serverless model

    Under this sustainable aspect offered by the serverless model, we must delve into one of the questions developed around this technology: is serverless computing secure? Well, the first thing to be clear about is the ecosystems around which this architecture is developed are complex, dynamic, and made up of many different components. For an ecosystem of this type to be secure, it is necessary to make sure that the components and the interaction between them are secure.

    This area of ​​security has been investigated by the Telefónica Research team. The article Serverless Computing: a security perspective, developed by Eduard Marin, Diego Perino, and Roberto Di Pietro, addresses the current situation of serverless computing in terms of security. Demonstrating throughout the text the type of current threats to which this type of architecture is exposed, as well as those additional security features offered by the serverless model.

    The first distinction to be made is the differentiation between external and internal adversaries. The external ones, as the word says, carry out attacks from outside the cloud. These can allow opponents to execute arbitrary commands to obtain sensitive data or manipulate the execution of any function. Whereas, internal adversaries are those that run from within the cloud. For example, in the case of a public cloud, it is significantly easier to execute malicious functions.

    Characteristics of serverless computing

    One of the handicaps of the serverless model is that its functions can be activated from various sources, expanding the attack surface. Each of the functions that run within this architecture performs a single task and is therefore forced to interact with other shared cloud services, even though there are security policies that specify which functions and services in the cloud you can access each function, being such a complex environment, security policies are prone to configuration errors that open the door to security attacks.

    Most of the security responsibilities for serverless computing fall on cloud providers. Whereas, software developers are responsible for maintaining security at the application level. Therefore, for them, it is vitally important to follow the best security practices when writing serverless functions to reduce the chances of bugs -software defects- in these, which may lead adversaries to launch attacks.

    However, this architecture offers greater resistance against various types of Denial of Service (DoS) attacks that aim to saturate network bandwidth, trigger many heavy computing actions in parallel, or exploit application flaws. , for example, to cause infinite loops. That is a failure that consists of carrying out a cycle that is repeated infinitely because its condition to end is never met.

    Even though this technology saw the light of day at the Amazon Web Services event in 2014 and various cloud providers have entered the world of serverless platforms, there is still a lot of work ahead. One of the main challenges is the security of this model. “ With the increasing volume and diversity of attacks against the cloud, we believe that security and privacy will be a key factor that, if not addressed, could hinder the widespread adoption of serverless computing,” the team explains. fromResearch.

    Toward a serverless cloud

    For the moment, we can say that we are facing an evolution in the development of applications in the cloud without a server. Where there is still much to investigate, learn and apply. Serverless computing is a challenge in itself that requires design decisions related to service monitoring (QoS), scaling, and fault tolerance ownership to be handed over to the cloud provider .

    Serverless computing has been created, above all, for the rapid exchange of data from web applications and businesses in the cloud. Therefore, initially, it does not consist of processing entire applications, but rather separate functions. Some of the scenarios where it could be introduced due to its characteristics are:

    • Backend as a Service (BaaS) to build and support the back-end of a cloud function.
    • Performing tasks after the detection of an event, such as creating backup copies or reorganizing databases.
    • Integration of chatbots and conversation assistants.
    • In the field of big data, where the serverless model is positioned as an ally to combine, move, manipulate, etc., unstructured data (audio, images, etc.) and structured data (XML, JSON, etc.).