Protect Serverless Functions with Prisma Cloud

Aug 27, 2020
3 minutes
... views

Serverless architecture was created as a way to allow developers to focus on the application layer, without having to be concerned with the servers or runtimes underneath. It continues to become an increasingly popular option for cloud workloads—more than 20% of global enterprises are expected to adopt the technology through the end of 2020, up from less than 5% in late 2018.

While it allows for fast-paced development, the lack of visibility into the underlying infrastructure means that security has often taken a backseat. Prisma Cloud helps fill this gap by providing security and visibility to protect serverless functions.

Visualization of serverless attack surfaces in Prisma Cloud
Visualization of serverless attack surfaces in Prisma Cloud.

Why Is Serverless Popular?

Serverless, at its core, is simple. By removing capacity planning and server management, the developer can focus on the application and leave the rest to the cloud provider. Coupling this ease with the fact that serverless functions only run when evoked and spin down when not in use, you add an economical footprint that can save a company not only time and management resources, but also monetary resources. 

Serverless Vulnerability and Misconfiguration Scanning

Even though the developer focal point is the application layer, security teams need a level of visibility for vulnerabilities and misconfigurations that may exist within that layer. Prisma Cloud can scan these serverless functions across AWS Lambda, Google Cloud Functions, and Azure Functions to check for known vulnerabilities and issues with compliance policies. Users can set to scan during continuous integration (CI) processes and within serverless repositories.

Serverless repository scan results in Prisma Cloud
Serverless repository scan results in Prisma Cloud.

The image above shows example functions in serverless repositories that have been scanned by Prisma Cloud. Risk factors and vulnerabilities are aggregated in one screen, providing quick visibility.

AWS Runtime Protection with Serverless Auto-Protect

In addition, Prisma Cloud can provide security for AWS Lambda at runtime as a Lambda Layer. This is important because serverless architectures work differently than traditional workloads and require different privileges. Existing tools are unable to monitor these applications effectively. 

The platform can automatically protect serverless functions by inserting the correct security Layer for the serverless function’s runtime. While other solutions require you to manually inject Layers into the function, Prisma Cloud can do this automatically without direct user input. 

Security teams can set rules to define which functions and runtimes receive a given protection Layer without having to include the developer, providing additional visibility without imposing on development lifecycles.

Setting up serverless auto-protect rules in Prisma Cloud
Auto-protect rules in Prisma Cloud.

Start Using Prisma Cloud to Protect Serverless Functions

Serverless platforms can be very compelling for certain development needs, but in order to be truly viable, proper considerations need to be included for security. Prisma Cloud helps mitigate these concerns providing automations when scanning for vulnerabilities or compliance issues, and protecting a given runtime. Existing users can explore documentation on scanning and Lambda Layers.

For more information on how Prisma Cloud manages workloads across various compute architectures, you can view our compute security page.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.