Guillaume Blaquiere

In the last decade, the world of information technology has pivoted from servers to virtualization to now cloud and serverless. However, most skilled security engineers understand that threats have been around even before servers were connected to the internet—remember when threats came by way of the floppy disk?

Bad actors and their teams are more organized, and the rapid evolution of tech has also created new attack possibilities. Threats have evolved.

With the introduction of the internet, the most significant threats no longer came from floppy disks but outside sources; this means that security teams have had to create and adapt their patterns continuously, for example, filtering and blocking external traffic with a firewall, sanitizing it, and then letting the traffic live in the internal DMZ (demilitarized zone).

Servers are now virtual machines, yet routers and firewalls are still the best defense methods for protecting IT resources. Virtualization in the cloud has not changed this; in fact, most if not all cloud providers propose IaaS (infrastructure as a service) with, at least, firewalls, routers, NAT, and VPNs. The old yet reliable DMZ pattern is still alive and well. The basics of IT security do not change as fast as the threats do—the tried and true formulas still work!

And then there was serverless.

Serverless, a disruptive proposition, basically tells us, “Hey, you don’t have to manage virtual machines or the network; build your application and trust the cloud provider to handle the rest.” What a Big Bang!

• No network management

• No firewall rule to choose from

• No public IP access and limitation

• No addressing plan to discuss

• No DMZ

Twenty-year-old commonly accepted patterns, processes, and best practices are disappearing due to this new method of hosting applications. Suffice to say that security teams have had difficulties accepting this. Why? It’s not because it’s too new or because they have to trust a third party for their security management now, but because they have lost control of their domain. It’s primarily a matter of understanding this new paradigm.

Sure the rules have changed, the frontiers of responsibilities have moved between the cloud providers and the companies, but the principles stay the same.

Don’t expose the service publicly

This is no longer through public IP but with authorization filtering.

Don’t expose your IP when performing external calls

NAT principles remain the same

Keep your internal traffic safe

Internal no longer exists on managed infrastructure, so only accept connections from authenticated and authorized sources and services.

You can continue to enforce the old principles. They are all valid; only the implementations have evolved. Skilled security team members with years of experience and a core understanding of the basics are still very valuable, even in advisory matters. How else will we succeed in securing the new world?

The basics still matter.