Summary

Serverless computing is emerging as a new computing paradigm for the deployment of applications in the cloud. First, serverless computing allows software developers to outsource all infrastructure management and operational tasks to cloud providers, which makes it possible for them to focus solely on the business logic of their applications. Second, serverless computing follows a pure pay-per-use model, where users are only charged based on the resources they consume. Function as a service (FaaS) is the main implementation method of serverless computing.

Serverless computing exposes a significantly larger attack surface compared to its predecessors for two main reasons. First, serverless functions can be triggered by many external and internal events with multiple formats and encoding. This creates many possible entry points for adversaries to gain control of functions due to the fact that serverless applications are stateless and event-driven. Second, serverless platforms include a number of new components and cloud services, many of which are shared across numerous users. Such shared components can enable new forms of side or covert channels that can allow adversaries to leak sensitive data or to violate the specified security policies.

To improve the stability and integrity of the serverless computing platform and reduce the cost of mitigating security issues, it is necessary to consider security issues throughout the whole development life cycle of serverless computing. There exist currently new security threats that may not be fully addressed by existing standards. As such, it is necessary to develop a serverless security standard that takes into account the unique characteristics of serverless technology.

Recommendation ITU-T X.1650 provides security guidelines to help organizations identify security risks, protect sensitive data, and improve their ability to respond to security incidents in serverless computing environments.