Serverless Computing is a virtualisation-related paradigm that promises to simplify application management and to solve the last challenges in the field: scale down and easy to use. The implied cost reduction, coupled with a simplified management of underlying applications, are expected to further push the adoption of virtualisation-based solutions, including cloud-computing or telco-cloud solutions. However, in this quest for efficiency, security is not ranked among the top priorities, also because of the (misleading) belief that current solutions developed for virtualised environments could be applied (as is) to this new paradigm. Unfortunately, this is not the case, due to the highlighted idiosyncratic features of serverless computing. In this paper, we review the current serverless architectures, abstract and categorise their founding principles, and provide an in depth analyse of them from the point of view of security, referring to principles and practices of the cybersecurity domain. In particular, we show the security shortcomings of the analysed serverless architectural paradigms, point to possible countermeasures, and highlight a few research directions.
翻译:没有服务器的计算机是一个虚拟化的范例,它有可能简化应用程序管理,解决外地的最后挑战:缩小规模,便于使用。隐含的降低成本,加上简化基本应用程序的管理,预计将进一步推动采用基于虚拟化的解决办法,包括云计算或调频-cloud解决方案。然而,在追求效率的过程中,安全并没有被列为最优先事项,这也是因为(误导)相信目前为虚拟化环境开发的解决方案可以(像现在一样)应用到这一新范例。不幸的是,由于突出的无服务器计算的特殊性,情况并非如此。在本文件中,我们审查了目前无服务器的结构、抽象和分类的创建原则,并从安全角度深入分析了这些结构,并提到了网络安全领域的原则和做法。特别是,我们展示了分析过的无服务器建筑范式在安全方面的缺陷,指出了可能的对策,并强调了几个研究方向。