In the last decade, the world of information technology has pivoted from servers to virtualization to now cloud and serverless. However, most skilled security engineers understand that threats have been around even before servers were connected to the internet—remember when threats came by way of the floppy disk?
Bad actors and their teams are more organized, and the rapid evolution of tech has also created new attack possibilities. Threats have evolved.
With the introduction of the internet, the most significant threats no longer came from floppy disks but outside sources; this means that security teams have had to create and adapt their patterns continuously, for example, filtering and blocking external traffic with a firewall, sanitizing it, and then letting the traffic live in the internal DMZ (demilitarized zone).
Servers are now virtual machines, yet routers and firewalls are still the best defense methods for protecting IT resources. Virtualization in the cloud has not changed this; in fact, most if not all cloud providers propose IaaS (infrastructure as a service) with, at least, firewalls, routers, NAT, and VPNs. The old yet reliable DMZ pattern is still alive and well. The basics of IT security do not change as fast as the threats do—the tried and true formulas still work!
And then there was serverless.
Serverless, a disruptive proposition, basically tells us, “Hey, you don’t have to manage virtual machines or the network; build your application and trust the cloud provider to handle the rest.” What a Big Bang!
No network management
No firewall rule to choose from
No public IP access and limitation
No addressing plan to discuss
No DMZ
Twenty-year-old commonly accepted patterns, processes, and best practices are disappearing due to this new method of hosting applications. Suffice to say that security teams have had difficulties accepting this. Why? It’s not because it’s too new or because they have to trust a third party for their security management now, but because they have lost control of their domain. It’s primarily a matter of understanding this new paradigm.
Sure the rules have changed, the frontiers of responsibilities have moved between the cloud providers and the companies, but the principles stay the same.
You can continue to enforce the old principles. They are all valid; only the implementations have evolved. Skilled security team members with years of experience and a core understanding of the basics are still very valuable, even in advisory matters. How else will we succeed in securing the new world?
The basics still matter.
18.224.38.3