Cloud vs Serverless Computing: A Security Point of View

Abstract

In the last few years, there has been an evolution of the traditional cloud architectures which offers the possibility the provider assumes a big percentage of the security to the level of infrastructure, leaving the responsibility for the security of the applications to the developers. The new model of serverless computation, represents an evolution of the cloud architecture, improving also some appearances related with the security of the applications that use this new model. In this paper, we analyze which are the advantages and problems of the serverless architectures from the point of view of the security, comparing the main risks and attack vectors in both architectures. From this comparative, we can conclude that in serverless architectures new risks appear in the applications and improve others that are found in methodologies of safe development like Open Web Application Security Project (OWASP). Given the event-driven nature of serverless architectures, this type of applications add an additional complexity and arise new risks, among which can stand out those related with the data injection of events in functions and the creation of flows between serverless functions that could increase the attack surface of an application and do it vulnerable to attacks already known. To the best of our knowledge, this is the first paper to compare cloud and serverless computing from a security point of view.