Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

Download Publication

How to Design a Secure Serverless Architecture 2021
How to Design a Secure Serverless Architecture 2021
Who it's for:
  • application developers  
  • security professionals  
  • CISOs  
  • system and security administrators  
  • information system security officers  

How to Design a Secure Serverless Architecture 2021

Release Date: 09/14/2021

Working Group: Serverless

This is an old version of the document. Check out the 2023 version here.

Like any solution, serverless computing brings with it a variety of cyber risks. This paper provides best practices and recommendations for securing serverless applications. It offers an extensive overview of the different threats, focusing on the application owner risks that serverless platforms are exposed to and suggesting the appropriate security controls.

The document assumes that the readers have some knowledge of coding practices, security and networking expertise, and application containers, microservices, functions, and agile application development.

Key Takeaways: 

  1. What is Serverless
  2. Advantages and benefits of serverless architecture
  3. Shared responsibility model for serverless
  4. Security design, controls and best practices
  5. Kubernetes security best practices 
  6. CI-CD pipelines, Function Code, Code scans and policy enforcement for Functions and Containers    
  7. Compliance and governance for serverless
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources
Defining the Zero Trust Protect Surface
Defining the Zero Trust Protect Surface
How to Design a Secure Serverless Architecture
How to Design a Secure Serverless Architecture
An Agile Data Doctrine for a Secure Data Lake
An Agile Data Doctrine for a Secure Data Lake
And now for something completely different… a Cloud Security Alliance RFI
And now for something completely different… a Cloud Security Allian...
Published: 07/01/2024
AI Resilience & Diversity
AI Resilience & Diversity
Published: 06/20/2024
Why a Serverless Architecture Improves the Security of Cloud-Native Applications
Why a Serverless Architecture Improves the Security of Cloud-Native...
Published: 06/03/2024
Apple's New iMessage, Signal, and Post-Quantum Cryptography
Apple's New iMessage, Signal, and Post-Quantum Cryptography
Published: 05/17/2024

Acknowledgements

Peter Campbell
Peter Campbell
Chief Information Security Officer, Cigna

Peter Campbell

Chief Information Security Officer, Cigna

Cloud Security Engineering leader responsible for security engineering and security innovation. Enables new and untried technologies, runs proof of concepts, designs and engineers security configurations and enables the business to leverage new technology safely. Led the creation of Cigna’s security assurance framework which ensures that the security vision is consistently executed. Current research focuses on the domains of sec...

Read more

Ricardo Ferreira
Ricardo Ferreira
EMEA CISO

Ricardo Ferreira

EMEA CISO

Aradhna Chetal
Aradhna Chetal
Senior Director Executive- Cloud Security

Aradhna Chetal

Senior Director Executive- Cloud Security

Aradhna serves as a Senior Director Executive- Cloud Security at TIAA, a financial services company. She is responsible for the cloud security vision, strategy, standards, security patterns for a multi-cloud hybrid enterprise and engineer security solutions, to support the vision. Aradhna has worked in various Cybersecurity leadership roles at JP Morgan Chase, Boeing Company, Microsoft & T-Mobile.

Aradhna is an active member in the cy...

Read more

Vishwas Manral
Vishwas Manral
Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas Manral

Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas is the Founder at Precize Inc, a stealth Cloud and AI security startup. Vishwas is also the co-chair of CSA’s Serverless Working Group and the Chair of Cloud Security Alliance in Silicon Valley. He was the head of Cloud Native security and Chief Technologist at McAfee Enterprise + FireEye. Vishwas joined McAfee Enterprise when his com...

Read more

Madhav Chablani Headshot Missing
Madhav Chablani
Consulting CIO, TippingEdge Consulting

Madhav Chablani

Consulting CIO, TippingEdge Consulting

Vani Murthy
Vani Murthy
Sr. Information Security Compliance Advisor, Akamai Technologies

Vani Murthy

Sr. Information Security Compliance Advisor, Akamai Technologies

Vani has 20+ years of IT experience in the areas such as Security, Risk, Compliance, Cloud services (IaaS/PaaS/SaaS) architecture

Read more

Marina Bregkou
Marina Bregkou
Senior Research Analyst, CSA EMEA

Marina Bregkou

Senior Research Analyst, CSA EMEA

Amit Bendor Headshot Missing
Amit Bendor

Amit Bendor

John Wrobel Headshot Missing
John Wrobel

John Wrobel

Shobhit Mehta
Shobhit Mehta

Shobhit Mehta

Shobhit Mehta is a distinguished professional with over 12 years of expertise in Governance, Risk, Compliance, and Privacy frameworks, with notable experience in the security and privacy domains. His illustrious career has seen him contribute significantly to organizations such as PayPal, HSBC, Deutsche Bank, Credit Suisse, and Fidelity Investments, where he played pivotal roles in ensuring the integrity and security of critical systems and...

Read more

John Kinsella Headshot Missing
John Kinsella

John Kinsella

Elisabeth Vasquez Headshot Missing
Elisabeth Vasquez

Elisabeth Vasquez

Brad Woodward Headshot Missing
Brad Woodward

Brad Woodward

David Hadas Headshot Missing
David Hadas

David Hadas

Akshay Mahajan
Akshay Mahajan
Senior Manager, Wayfair

Akshay Mahajan

Senior Manager, Wayfair

Anil Karmel
Anil Karmel
CEO, C2 Labs

Anil Karmel

CEO, C2 Labs

Anil Karmel is the Co-Founder and CEO of RegScale, which helps organizations start and stay compliant via the world's first real-time GRC platform. Formerly, Anil served as the National Nuclear Security Administration's (NNSA) Deputy Chief Technology Officer. Karmel began his government career as a Technical Staff Member of Los Alamos National Laboratory (LANL) and was responsible for inventing their cloud and collaboration technologies Kar...

Read more

Alex Rebo Headshot Missing
Alex Rebo

Alex Rebo

Dr. Vrettos Moulos
Dr. Vrettos Moulos

Dr. Vrettos Moulos

Dr. Vrettos Moulos is a senior research software engineer in Institute of Communication and Computer Systems in Greece. He holds a PhD in secure microservice architecture patterns from the School of Electrical and Computer Engineering of the National Technical University of Athens (NTUA).

He has been a member, for more than 10 years, of software development teams creating mission critical applications (rule-based decision systems, sec...

Read more

Abhishek Vyas
Abhishek Vyas
Head of Security Consultancy and Architecture

Abhishek Vyas

Head of Security Consultancy and Architecture

I have been working in Cybersecurity for over 10 years, and have been working on large scale multi-cloud programs in the Software and Finance industries over that period. I deliver business value through robust, scalable, fit for business cybersecurity, by establishing new ways of working to help the business to innovate. Challenging the status quo to help remove inertia, and ensuring that cybersecurity remains relevant and mea...

Read more

Eric Matlock Headshot Missing
Eric Matlock

Eric Matlock

Raja Rajenderan Headshot Missing
Raja Rajenderan

Raja Rajenderan

Namrata Kulkarni
Namrata Kulkarni
Cyber Security Architect

Namrata Kulkarni

Cyber Security Architect

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Related Certificates & Training