Cloud migration strategies focus on increasing the speed of doing business. Transferring infrastructure to the cloud saves money and time, but it also changes the security and privacy dynamic. The Shared Responsibility Model for Cloud Security means that organisations cannot just transfer all risk to their cloud service providers (CSPs). While the CSP secures cloud access to the cloud from their users, the customer needs to secure access within the cloud. AWS Lambda creates a unique access risk since services, not people, trigger its cloud activities. However, organisations often use Lambda to run administrative and operational processes, such as patch updates, that require privileged access to systems and networks. Lambda’s automation creates new privileged access management (PAM) risks as it connects to applications and infrastructures without human governance.
What does the shared responsibility model for AWS Lambda look like?
AWS provides a detailed architecture in Lambda’s security model to ease the Shared Security Model requirements. While AWS protects many cloud infrastructure service components, customers continue to bear the burden and responsibility for securing data and providing identity access governance. Simply, AWS protects the cloud’s infrastructure, but in Lambda’s case, users need greater control over the governance.
When Lambda executes a function, it executes the provisioning of the service and the required resources necessary to run your code. The function will run in the dedicated execution environment that is used for the lifetime of the function and the temporal function is security disposed. However, despite AWS disposing the code automatically, the function’s actions have been completed without the appropriate governance and oversight. In many cases, this leads to a privileged access management failure.
Cloud security fundamentals in Lambda
Lambda builds security into the functions that run in dedicated execution environments, such as within an operating system or database, to view development, testing, and deployment within the cloud. Additionally, Lambda offers monitoring and alert notifications, that can be integrated into governance solutions. Meanwhile, this poses a PAM risk because users can change the function without going through a governance process which can lead to misuse of the original elevated privileges and, as discussed in the 2019 Data Breach Investigations Report, a data breach.
Function-as-a-service in multi-cloud environments
Organisations deploy Lambda and similar services, such as Google’s Cloud Function and Microsoft’s Azure Functions but still need to address management and governance of those functions to meet the Shared Responsibility Model requirements. As the use of these functions scale, management and governance become difficult to prioritise, track, and document. The same approach to management, monitoring, and governance will apply.
Cloud PAM limits exposure
Streamlining privilege escalation and ensuring governance over automated tasks, such as Lambda functions, significantly reduces cybersecurity risk. By utilising a full life cycle request-on-demand access for privileged access solution, organisations obtain complete visibility into the way cloud-based applications access the infrastructure. Your visibility includes complete monitoring of the access and activity to ensure that it maintains the appropriate risk- and policy-based access, provides for urgent or break-fix events, and can monitor for violations of segregation of duties policies.
With identity, compliance and governance go hand-in-hand. The need to create policies, monitor activity, document responses, and prove governance over your program still exists and Function-Based solutions with proper governance can fulfil those requirements. Cloud PAM solutions provide unique PAM capabilities by integrating Identity Governance and Administration (IGA) capabilities to provide full visibility and ensure governance over PAM tasks.
As businesses move from on-premise to hybrid and cloud infrastructures, the shared model of security between cloud providers and customers will continue to evolve, which means that organisations need dynamic IGA solutions connected to built-in cloud security controls to alleviate risk, secure data, and manage compliance.
Joe Raschke, Principal Solution Strategist, Saviynt