Skip to main navigation menu Skip to main content Skip to site footer

Vol. 1 No. 2 (2021)
Internet of Things and Edge Computing Journal

Articles

Security Considerations and Risk Mitigation Strategies in Multi-Tenant Serverless Computing Environments

Published 24-08-2021

  • Vishal Shahane

Vishal Shahane
Software Engineer, Amazon Web Services, Seattle, WA, United States

Cover

Abstract

Multi-tenant serverless computing environments present unique security challenges due to the shared nature of resources among multiple users. This paper examines the specific security considerations and risk mitigation strategies essential for safeguarding data and applications in such environments.

The paper starts by delineating the distinctive characteristics of serverless computing, emphasizing its event-driven, ephemeral nature, and how multi-tenancy exacerbates security concerns by sharing resources across tenants. Traditional security measures like network segmentation and access controls may not suffice in this dynamic context.

Subsequently, it explores common security threats prevalent in multi-tenant serverless environments, including unauthorized access, data breaches, denial-of-service attacks, and privilege escalation. These threats stem from various sources such as misconfigured functions, vulnerabilities in shared components, or malicious activities by other tenants.

To counteract these threats, a comprehensive framework for risk mitigation is proposed. This framework encompasses proactive measures like minimizing attack surfaces, enforcing least privilege access, and implementing secure coding practices. Additionally, it advocates for detective measures such as runtime monitoring and anomaly detection, alongside responsive actions like incident response protocols and data encryption.

Furthermore, the paper delves into specific security controls and best practices tailored for multi-tenant serverless environments. These include function-level isolation, secure dependency management, and encryption for data at rest and in transit. It also explores emerging security technologies like serverless-specific intrusion detection systems and runtime application self-protection solutions.

Real-world case studies and incidents are analyzed to validate the efficacy of the proposed framework and security measures. By learning from these cases, organizations can better understand common vulnerabilities and refine their security strategies accordingly.

In conclusion, proactive security measures and risk mitigation strategies are imperative for ensuring the integrity, confidentiality, and availability of data and applications in multi-tenant serverless computing environments. As the adoption of serverless continues to rise, ongoing research and collaboration are essential to stay abreast of evolving security threats and challenges.

Keywords

multi-tenant, serverless computing, security considerations, risk mitigation, threat analysis, security controls, incident response, encryption, intrusion detection

PDF

References

  1. M. Alhamad et al., "Security Concerns in Serverless Computing," IEEE Cloud Comput., vol. 6, no. 3, pp. 26-33, May/Jun. 2019.
  2. D. Adarsh, S. Kumar, and S. Singh, "Security Analysis and Enhancements in Serverless Computing," in Proc. IEEE ICCCS, Indore, India, Dec. 2018, pp. 113-118.
  3. N. Benzaoui and M. Dahmani, "Serverless Computing Security: A Systematic Review," J. Softw. Eng. Appl., vol. 11, no. 5, pp. 214-233, 2018.
  4. R. Pawar and R. Manjhi, "Security Threats in Serverless Computing and Countermeasures," in Proc. IEEE NCC, Kanpur, India, Mar. 2019, pp. 1-6.
  5. S. Huang, M. G. Jaeger, and S. M. Bellovin, "Serverless Computing: Security Implications and Protection Mechanisms," in Proc. IEEE CNS, San Francisco, CA, USA, May 2019, pp. 1-10.
  6. S. O. Afolabi et al., "Security Risks and Mitigation Techniques in Serverless Computing: A Systematic Literature Review," Comput. Secur., vol. 101, p. 102107, Nov. 2020.
  7. S. Garg and D. S. Kaur, "Security Issues and Challenges in Serverless Computing," Int. J. Eng. Technol., vol. 7, no. 4, pp. 1409-1414, Aug. 2018.
  8. S. Venkatesh, A. S. Dey, and D. Deka, "A Survey on Security Threats in Serverless Computing," in Proc. IEEE ICCSP, Guntur, India, Mar. 2020, pp. 1-5.
  9. T. Zhang, R. Zhang, and W. Wang, "Security Issues and Solutions in Serverless Computing," in Proc. IEEE ICCSE, Beijing, China, Nov. 2018, pp. 76-80.
  10. Y. Liu and X. Chen, "Security Threats and Protection Technologies in Serverless Computing," J. Inf. Secur. Appl., vol. 47, pp. 102-112, Oct. 2019.
  11. Y. Zhang et al., "A Review of Security Issues in Serverless Computing: Vulnerabilities, Attacks, and Mitigation Strategies," Comput. Mater. Contin., vol. 66, no. 3, pp. 2595-2609, May 2021.
  12. A. C. Lim et al., "Mitigating Serverless Security Concerns with Decentralized Oracles," in Proc. IEEE ISPEC, Singapore, May 2020, pp. 3-15.
  13. A. Patel et al., "Serverless Computing Security: Challenges and Solutions," in Proc. IEEE ICITN, Pune, India, Jan. 2020, pp. 1-6.
  14. D. Alam and M. J. Rashid, "Securing Serverless Computing Environments: A Case Study of Amazon Web Services," in Proc. IEEE ICSNC, Barcelona, Spain, Nov. 2018, pp. 95-100.
  15. H. Al-Qaysi and C. Zeadally, "Security and Privacy in Serverless Computing: A Comprehensive Review," Comput. Netw., vol. 189, p. 107943, Feb. 2021.
  16. J. Arunraj et al., "Security in Serverless Computing: An Overview," in Proc. IEEE ICACT, Jeju, South Korea, Feb. 2019, pp. 234-240.
  17. M. A. Gani et al., "Security in Serverless Computing: Issues and Challenges," in Proc. IEEE ICCMIT, Mumbai, India, Apr. 2019, pp. 1-5.
  18. M. A. Shah et al., "Security Threats and Countermeasures in Serverless Computing," in Proc. IEEE ICCSP, Chennai, India, Mar. 2020, pp. 1-5.
  19. M. A. Shah et al., "Security Threats and Solutions in Serverless Computing: A Review," J. King Saud Univ. Comput. Inf. Sci., vol. 32, no. 4, pp. 457-468, Apr. 2020.
  20. M. Z. Rashid and M. G. Taylor, "Security in Serverless Computing: Opportunities and Challenges," in Proc. IEEE CIIT, Islamabad, Pakistan, Dec. 2019, pp. 1-5.
  21. N. S. Hameed et al., "Security Issues in Serverless Computing: A Review," in *Proc. IEEE ICC', Bangalore, India, Mar. 2019, pp. 1-5.
  22. N. Singh and A. Kumar, "Security and Privacy Issues in Serverless Computing," in Proc. IEEE ICEMCO, Jaipur, India, Dec. 2019, pp. 1-5.
  23. S. A. Manaseer and S. A. Al-Joboury, "Enhanced Security for Serverless Computing: Review and Analysis," in Proc. IEEE CCIS, Beirut, Lebanon, Dec. 2018, pp. 1-5.
  24. S. R. Alarifi et al., "A Comprehensive Review of Security Issues and Challenges in Serverless Computing," Future Internet, vol. 13, no. 2, p. 27, Feb. 2021.
  25. U. R. Singh et al., "A Survey on Security Threats and Countermeasures in Serverless Computing," in Proc. IEEE IC3T, Kochi, India, Oct. 2019, pp. 1-6.
  26. V. T. R. Yadhav and V. V. Wani, "A Survey on Security Issues in Serverless Computing," in Proc. IEEE ICCIC, Nagapattinam, India, Mar. 2019, pp. 1-4.
  27. W. A. Najem et al., "Security Issues and Solutions in Serverless Computing Environments: A Comprehensive Review," Comput. Electr. Eng., vol. 92, p. 107245, Dec. 2021.
  28. X. Zhang and H. Wei, "A Survey of Security Issues in Serverless Computing," J. Commun. Netw., vol. 22, no. 5, pp. 519-530, Oct. 2020.