Serverless computing highlights new security challenges in hybrid IT

Services such as AWS Lambda highlights the growing difficulty of integrating cloud-native services with private data center resources.

During the recent Tech Field Day 16 event, Forcepoint teased the beginning of what I believe is a much-needed shift in hybrid IT security. At the VMware-sponsored FutureNet conference, a Verizon spokesman shared the fundamental challenge with hybrid IT security: There isn't a consistent construct on which to build a security enforcement plan across the public and private cloud.

The traditional approach to enterprise security relies on network access control (NAC). NAC has proven a crutch for enterprise security for years, as security professionals could loosely base identity on the node where traffic originates.

SEE: Security awareness and training policy (Tech Pro Research)

An example is identifying all traffic coming from a specific network segment as originating from the accounting department. Security professionals would use a firewall function to enable traffic from the accounting network segment to a file server hosting the organization's financials. The same firewall device may restrict traffic from non-accounting network segments.

The practice is improved by using concepts such as certificates that trace back to identity services such as Active Directory. However, the enforcement point remains the firewall albeit with additional identity attributes.

Lift and shift security

Initial enterprise cloud deployments were simple—services and data security zones were somewhat static. Enterprises could expect to reasonably control security at the edge of the networks. An example is moving development and test to the public cloud. Security professionals could replicate their security design within the public cloud using NAC via host-based firewalls or deploy virtual firewalls within the public cloud infrastructure.

As organizations matured, they could use the cloud control plane tools to create NAC rules. While the interface required training, the concepts were similar. Traffic from one set of hosts was allowed or disallowed. However, the cloud security control plane does represent one of the first early challenges in hybrid IT security—a consistent operations control plane.

As hybrid IT services become more complex, security professionals required more granular controls between the public cloud and private infrastructure. Take the universal example of the web and application tiers in a three-tier application as an example. Merely creating a firewall rule that allows traffic from the web-tier to the application-tier proved complex.

Early private data center firewalls lacked the context of ephemeral cloud security objects. If the web-tier leveraged elastic compute, the public cloud administrator had to ensure that auto-scaled web servers were all created in the same network scope for the static firewall to properly filter traffic. Newer generation firewalls integrated with cloud services, however, can identify cloud objects and allow filtering based on the legacy node-to-node concept.

SEE: Special report: The cloud v. data center decision (free PDF) (TechRepublic)

Native cloud services

It's with cloud-native services that the traditional firewall concept breaks. Take Amazon Web Services (AWS) Lambda for example. AWS Lambda is an event-driven service that doesn't have a concept of a compute node exposed to the service consumer—hence, the term serverless. Lambda introduces a wrinkle into the traditional firewall based-security model. How does a firewall filter traffic from a Lambda event destined for private data center node?

I receive a curious look anytime I present this scenario. Think of a Lambda function that copies an image written to an S3 function to an on-premises Oracle database. How does a firewall differentiate that activity from any other Lambda activity?

Cybersecurity firm Forcepoint has acquired many security products over the past year. Included in their acquisition spree are both a firewall product and a cloud access security broker (CASB). CASB products integrate natively with cloud-based services such as Office 365. As Forcepoint matures, in theory, the company could integrate the firewall and CASB products to provide the granularity in security controls required for end-to-end hybrid IT.

Forcepoint isn't the only vendor looking at this challenge. I've talked with the VMware NSX team, and they are confident that NSX is on a path to offering a similar capability. Until then, an organization must be mindful of application designs that integrate cloud-native services such as Lambda with private data center resources. Until a cross-domain solution becomes available, organizations must use the granular controls provided by the public cloud providers and the network-based controls of the enterprise firewall to create a fully secure solution.

Also see

Image: iStockphoto/maxkabakov

About Keith Townsend

Keith Townsend is a technology management consultant with more than 15 years of related experience designing, implementing, and managing data center technologies. His areas of expertise include virtualization, networking, and storage solutions for Fo...

Editor's Picks

Free Newsletters, In your Inbox