A typical example is the Sina microblogging service, at the time of the outbreak of sudden events (such as Star News), the flow may be usually hundreds or even thousands of times, the flow of such outbreaks with the traditional way of expansion simply can not meet the demand, there is no so many resources, Sina solution is to lease private cloud, public cloud + mode, using the money when Ali cloud for peak service expansion. For the average rental companies can take full advantage of third-party cloud service mode to build their own service model, you own any hardware maintenance equipment and infrastructure back-end software services, such architectures called Serverless, namely "no server" architecture.
No server architecture server architecture without security challenges security challenges
No server architecture enables companies to achieve a more flexible and more cost-effective business structure model. However, as companies begin using non-server architecture, the need to consider the safety of non-server architecture, this worm gave you talk about this topic.
What is serverless?
No server virtualization and cloud computing result of the development of the means to realize its full business model business through leasing cloud provider resources, no server core is entirely exclude hardware and back-end infrastructure in the architecture software services (such as database, account system, etc.), and rely on third-party cloud resources (BaaS or FaaS).
When considering server-based architecture, when a main idea: if not all of the functionality of the application is to use up, so why pay rent for the server does not use it often requires some general system functions such as business logic? the user authentication system, database, and other users of short and specific activities needed to function. Use server architecture, packaging and performs the function of this series, it is generally referred to as the non-server functions as a service (FaaS); these services also for the back-end service, it is also called as BaaS "Backend as a Service".
FaaS service most typical example is the well-known manufacturers Amazon AWS cloud of AWS Lambda.
No server architecture server architecture without security challenges security challenges
Domestic Ali cloud has also recently staged a similar function to calculate something called:
No server architecture server architecture without security challenges security challenges
No server security
, although many cloud vendors provide security services and some basic security policies, but you need to spend to purchase related services, but also need to configure their own strategies. About safe and server architecture we need to note the following.
Kept up to date
in order to ensure the safety of the application, one of the most effective ways to ensure that all components are new. Whether the use of third-party modules required security patches?
Software updates when the issue is often overlooked forget to update the component dependencies, especially the use of open source components in your application. According to statistics, there are more than 92% of open source components used by the application will account for 60-80% of its code base, security infrastructure of open source components can not be ignored section. How to safely use the presence of open source and commercial software module some obvious differences, such as in open source components can not be good to track its impact was when a new vulnerability or fix, so effective upgrade notification. Another aspect to consider is the build dependencies of the components. If one relies loopholes, it will affect the security of the entire application. Now basic Git server, such as Github and Gitlab provides basic security library automated scanning tool dependent. We can use these tools to ensure that our components are updated to the secure version.
Principle of least privilege
permissions and access control are important rules no maintenance server security by granting least privilege security policy settings for each function, and role-based identity verification (IAM role), to a large extent to reduce potential security risk.
This principle is important because the more users can access, the greater the potential risk to the security of the system. For example, an example *** succeeded in claiming one of your user's email account, steal their login credentials. To minimize risk, we should limit the role of sub-accessible functions, and IP access restrictions, such as restrictions on log in through the firewall and other settings, so even if login credentials can not be stolen land. Of course, in addition to external *** We have to prevent insider theft of information that should not know, it is essential to limit each user's role-based permissions.
Hold Em separation
and limitation of user rights principles similar to the network and resource access isolating each function is also important. This principle is also known as micro-segments (Micro-Segmentation), it is by setting access barriers to ensure that our particular function after capture, and does not affect other functions of nodes. Security sector often follow a common sense is, "can not put eggs in one basket."
If, as we will be the same database from another database, by isolating different functions, different people container that can affect the overall assurance of safety is not part of the node.
Glued log
Once you start using no server infrastructure, you will find architecture will change the mind-point mess vain, rapid iteration of functions and services may make us ignore some signs of safety problems. For example, a request is sent to a large number of non-server architecture, it may mean that there are loopholes function function, and you tore ignored, did not notice.
This time we need to focus on safety and the log.
Familiar serverless architecture (architecture are also a number of other similar) is a good tool to browse and system logs. The first step to solve the server-security challenge is to maintain and analyze logs, to identify anomalies in the execution log.
No server architecture server architecture without security challenges security challenges
Scan
Secondly, we should use the automatic scanning function tools, including all open source components used in inspection and monitoring system. For example, you can use the AWS Lambda you use WhiteSource free to scan and monitor server integration has been deployed, WhiteSource will automatically identify all open source components and dependencies, and then check the database for a comprehensive open-source repository them for security vulnerabilities and licenses . Upon detection, you can apply automated policies, define workflows and collaborative information in teams.
No server architecture server architecture without security challenges security challenges
Compliance matters
when it comes to financial services, telecommunications, health and other regulated industries, data privacy issues become more sensitive. Since we run applications and store data in the cloud, so there are always risks associated with these assets for the public. Data on the cloud needs to be done eligibility can be assisted by legal and disabilities.
Summary
In short, the use of non-server architecture has many advantages that can help us save costs, increase flexibility and plasticity. But no server architecture, security issues can not be ignored. In this paper we list some common safety principles and techniques also help you avoid common server-security risks and ensure the safety and reliability of the application.
For more information please see linux more www.linuxprobe.com