The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released two sets of guidance from its research working groups. The first, How to Design a Secure Serverless Architecture, offers specific security best practices for implementing applications on a serverless platform along with recommended controls application owners should adopt. Recommendations for Adopting a Cloud-Native Key Management System (KMS), meanwhile, provides project and program managers, among others, with general guidance for choosing, planning, and deploying a cloud-native KMS.
“Adopting a cloud-native KMS doesn’t need to be more complicated than the adoption of a public cloud service”
Written by CSA’s Serverless Working Group, How to Design a Secure Serverless Architecture [URL] provides application developers and architects, security and risk management professionals, and others involved in administering and securing systems with a set of best practices and recommendations for securing serverless applications. While it offers an extensive overview of a variety of threats, rather than detailing the more generic, cloud-related security aspects, the document focuses on the application owner and the threats facing applications on a serverless platform, specifically those aspects that change as a result of moving to a serverless service.
“IT organizations in nearly every industry are feeling pressure to quickly deliver value, get ahead of the competition, and provide customers with new experiences. Serverless platforms allow application teams to deliver value quickly, without having to manage the infrastructure the application runs on. As this movement gains steam, we can expect to see a proliferation of serverless platforms and more high-value applications being run on these platforms. Security concerns on serverless platforms are only going to grow, and organizations need to understand how to best protect themselves,” said Aradhna Chetal, one of the paper’s co-authors and co-chair of the Serverless Working Group.
Recommendations for Adopting a Cloud-Native Key Management System (KMS), which was written by the Cloud Key Management Working Group, addresses the technical, operational, legal, regulatory, and financial aspects of leveraging a cloud-native KMS, with the goal of optimizing business outcomes, including agility, cost, and compliance. It’s envisioned that the program or project manager will refer to the guidance as they lead their organization through the lifecycle stages covered within the document.
“Adopting a cloud-native KMS doesn’t need to be more complicated than the adoption of a public cloud service,” said Paul Rich, co-chair of the Cloud Key Management Working Group and a co-author of the paper. “However, because a KMS is often a core utility, its adoption warrants the same treatment you would apply to directory and other identity services. Like all information systems, it’s important to have the necessary talent available and give them sufficient time and guidance, all of which will go a long way toward successful adoption.”
The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between cloud service providers and key broker services. Those interested in participating in future research and initiatives involving cloud key management are invited to join the working group.
The Serverless Working Group seeks to develop best practices to help organizations looking to run their business with a serverless business model. Individuals interested in becoming involved in future serverless research and initiatives are invited to join the working group.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Kari Walker for the CSA