Abstract
In the last few years, there has been an evolution of the traditional cloud architectures which offers the possibility the provider assumes a big percentage of the security to the level of infrastructure, leaving the responsibility for the security of the applications to the developers. The new model of serverless computation, represents an evolution of the cloud architecture, improving also some appearances related with the security of the applications that use this new model. In this paper, we analyze which are the advantages and problems of the serverless architectures from the point of view of the security, comparing the main risks and attack vectors in both architectures. From this comparative, we can conclude that in serverless architectures new risks appear in the applications and improve others that are found in methodologies of safe development like Open Web Application Security Project (OWASP). Given the event-driven nature of serverless architectures, this type of applications add an additional complexity and arise new risks, among which can stand out those related with the data injection of events in functions and the creation of flows between serverless functions that could increase the attack surface of an application and do it vulnerable to attacks already known. To the best of our knowledge, this is the first paper to compare cloud and serverless computing from a security point of view.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bhajantri, L.B., Mujawar, T.: A survey of cloud computing security challenges, issues and their countermeasures. In: 2019 Third International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), 2019, pp. 376–380. https://doi.org/10.1109/I-SMAC47947.2019.9032545
Rizwan, S., Zubair, M.: Basic security challenges in cloud computing. In: 2019 4th International Conference on Emerging Trends in Engineering, Sciences and Technology (ICEEST), 2019, pp. 1–4 (2019). https://doi.org/10.1109/ICEEST48626.2019.8981695
Mora, H., Mora Gimeno, F.J., Signes-Pont, M.T., Volckaert, B.: Multilayer architecture model for mobile cloud computing paradigm, Complexity (2019). https://doi.org/10.1155/2019/3951495
Mora-Gimeno, F.J., Mora-Mora, H., Marcos-Jorquera, D., Volckaert, B.: A secure multi-tier mobile edge computing model for data processing offloading based on degree of trust. Sensors 18(10), 3211 (2018). Doi: https://doi.org/10.3390/s18103211
AWS responsibility model. https://aws.amazon.com/es/compliance/shared-responsibility-model
Sewak, M., Singh, S.: Winning in the era of serverless computing and function as a service. In: 2018 3rd International Conference for Convergence in Technology (I2CT), 2018, pp. 1–5 (2018). https://doi.org/10.1109/I2CT.2018.8529465
Fox, G.C., Ishakian, V., Muthusamy, V., Slominski. A.: Status of serverless computing and function-as-a-service (faas) in industry and research. arXiv preprint arXiv:1708.08028 (2017)
Idris, M., Syarif, I., Winarno, I.: Development of vulnerable web application based on OWASP API security risks. In: 2021 International Electronics Symposium (IES), pp. 190–194
van Eyk, E., Toader, L., Talluri, S., Versluis, L., Uță, A., Iosup, A.: Serverless is more: from PaaS to present cloud computing. IEEE Internet Comput. 22(5), 8–17 (2018). https://doi.org/10.1109/MIC.2018.053681358
Parres-Peredo, A., Piza-Davila, I., Cervantes, F.: Building and evaluating user network profiles for cybersecurity using serverless architecture. In: 2019 42nd International Conference on Telecommunications and Signal Processing (TSP), pp. 164–167 (2019)
Palade, A., Kazmi, A., Clarke, S.: An evaluation of open source serverless computing frameworks support at the edge. IEEE World Congress Serv. (SERVICES) 2019, 206–211 (2019). https://doi.org/10.1109/SERVICES.2019.00057
Json Web Tokens. https://jwt.io
Li, X., Leng, X., Chen, Y.: Securing Serverless Computing: Challenges, Solutions, and Opportunities (2021)
Rajan, R.A.P.: A review on serverless architectures-function as a service (FaaS) in cloud computing. Telkomnika Telecommun. Comput. Electron. Control. 18, 530–537 (2020)
Kritikos, K., Skrzypek, P.: A review of serverless frameworks. In: 2018 IEEE/ACM International Conference on Utility and Cloud Computing Companion (UCC Companion), 2018, pp. 161–168 (2018). https://doi.org/10.1109/UCC-Companion.2018.00051
AWS Lambda. https://aws.amazon.com/lambda
Google Cloud Functions. https://cloud.google.com/functions
Azure Functions. https://azure.microsoft.com/en-us/services/functions
Daly, J.: Event injection: Protecting your serverless applications (2019). https://www.jeremydaly.com/event-injection-protecting-your-serverless-applications
Maroc, S., Zhang, J.B.: Cloud services security evaluation for multi-tenants. In: 2019 IEEE International Conference on Signal Processing, Communications and Computing (ICSPCC), pp. 1–6 (2019). https://doi.org/10.1109/ICSPCC46631.2019.8960871
Gupta, H., Kumar, D.: Security threats in cloud computing. In: 2019 International Conference on Intelligent Computing and Control Systems (ICCS), 2019, pp. 1158–1162 (2019)
Eltaeib, T., Islam, N.: Taxonomy of challenges in cloud security. In: 2021 8th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2021 7th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), 2021, pp. 42–46 (2021). https://doi.org/10.1109/CSCloud-EdgeCom52276.2021.00018
AWS API Gateway https://aws.amazon.com/es/api-gateway. Accessed 11 June 2022
Marin, E., Perino, D., Di Pietro, R.: Serverless Computing: A Security Perspective (2021)
Shafiei, H., Khonsari, A., Mousavi, P.: Serverless computing: a survey of opportunities, challenges, and applications. ACM Comput. Surv. 1, 1 (2021)
OWASP Serverless TOP 10. https://github.com/OWASP/Serverless-Top-10-Project. Accessed 11 June 2022
The Ten Most Critical Risks for Serverless Applications v1.0. https://github.com/puresec/sas-top-10. Accessed 11 June 2022
Lala, S.K., Kumar, A., S.T.: Secure Web development using OWASP Guidelines. In: 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), 2021, pp. 323–332 (2021). https://doi.org/10.1109/ICICCS51141.2021.9432179
Hong, S., Srivastava, A., Shambrook, W., Dumitras, T.: Go Serverless: Securing Cloud via Serverless Design Patterns. HotCloud (2018)
Acknowledgements
This work was supported by the Spanish Research Agency (AEI) under project HPC4Industry PID2020-120213RB-I00.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Candel, J.M.O., Elouali, A., Gimeno, F.J.M., Mora, H. (2023). Cloud vs Serverless Computing: A Security Point of View. In: Bravo, J., Ochoa, S., Favela, J. (eds) Proceedings of the International Conference on Ubiquitous Computing & Ambient Intelligence (UCAmI 2022). UCAmI 2022. Lecture Notes in Networks and Systems, vol 594. Springer, Cham. https://doi.org/10.1007/978-3-031-21333-5_109
Download citation
DOI: https://doi.org/10.1007/978-3-031-21333-5_109
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21332-8
Online ISBN: 978-3-031-21333-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)