Dimensional Data

Published July 1, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The Certified Information Systems Security Professional (CISSP) certification, granted by the International Information System Security Certification Consortium Inc., or (ISC)2, is one of the most prestigious vendor-neutral information systems security leadership certifications. The CISSP certification is a credential that signifies its holder possesses professional experience and demonstrates a high level of knowledge across information systems security domains. (ISC)2 periodically updates the information systems security Common Body of Knowledge (CBK) to reflect the state of today’s organizations and environments. The latest version of the CISSP exam was released on May 1, 2021. This updated exam addresses the latest cybersecurity challenges. Some of the noticeable changes from the previous exam are in the software security domain. New CISSP exam takers must demonstrate a deeper knowledge of developing secure software than those who took previous editions of the exam. Software security has taken on a higher profile. Let’s look at how the 2021 CISSP exam changes add focus on developing secure software. Why the CISSP certification is important The CISSP certification is not the only cybersecurity certification, but it is one of the most respected certifications in the industry. Although criticized as an overly broad certification, its focus is on demonstrating a working knowledge in eight defined domains that cover most cybersecurity concerns. The CISSP exam focuses more on cybersecurity leadership and a grasp of pertinent concepts and topics, as opposed to a deep knowledge of a specialized practitioner. The certification tends to be more sought after by those either in or pursuing management and leadership positions. There are currently over 147,000 CISSPs worldwide, and the certification enjoys international recognition as a high-quality and difficult-to-attain certification. The CISSP was the first information security credential to meet the ISO/IEC 17024 standard requirements, which define criteria for certification-granting organizations. The CISSP is also approved by the Department of Defense to satisfy multiple DoDD 8570 Level III certification requirements. And in May 2020, the UK National Recognition Information Centre (UK NARIC) granted the CISSP a Level 7 ranking, which equates the certification with a master’s degree. The popularity of the CISSP certification, along with its longevity and demonstrated rigor, make it an attractive target for managers and executive leadership in information systems security roles. In short, there are many information systems security leaders who are CISSPs. Whatever (ISC)2 deems important in their CBK and exams will be considered important by its credential holders. Changes to the 2021 CISSP exam related to application security Domain 8 of the CISSP exam is Software Development Security, and it represents 11% of the questions test takers will encounter. The previous edition of the CISSP exam weighted Domain 8 at 10%. A single percentage increase in weight may not seem like very much, but some of the covered content has changed quite a bit. Previous coverage of Software Development Security was a bit generic and high-level, but the 2021 CISSP exam objectives are more granular with some interesting additions.   To give an overview of the CISSP exam objectives, here are the eight domains: Security and Risk Management Asset Security […]

Published June 24, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel The ever-increasing popularity and use of smartphones dwarfs that of more conventional computing devices, such as desktop, laptops, tablets and so forth. Here are some numbers to put things in perspective: according to Statista the total number of mobile devices should reach 17.71B by 2024, up from just over 14B such devices in use in 2020. The same source puts the size of the installed base of PCs worldwide at 1.33B in 2019, with a slight decline over the period from 2013-2019. Interestingly, Microsoft recently claimed 1.3B “active Windows 10 users” which tells us the overwhelming majority of PC users seem to favor their operating system. Putting Mobile Devices Into Proportion The real impact of this comparison, of course, is that mobile devices outnumber PCs by over an order of magnitude. In addition, that balance continues to swing to favor mobile devices ever more firmly. Mobile devices run mobile apps. Indeed this simple observation makes mobile app security crucial, simply because most of the human race (mobile devices currently outnumber humans by almost 2 to 1) uses such devices and the apps to go with them to communicate, access the Internet, and get on with the business of living. The Continuing Sad State of Mobile App Security Even as mobile apps keep proliferating, and more and more users rely on them to learn, work and play, the state of mobile app security can only be described as deplorable. On the one hand, App Annie reported that mobile app usage grew 40% year-over-year in Q2 2020 as compared to the preceding year. On the other hand, security firm Synopsys entitled its most recent survey Peril in a Pandemic: The State of Mobile App Security. The company found that significant causes for concern about the security in mobile apps were both abundant and alarming, primarily owing to three major factors: Commonly used apps that displayed well-known open source vulnerabilities Unsecured and unencrypted sensitive data in mobile application code that present potential points for information leakage and unwanted access and disclosures Frequent assignment of higher levels of access and permission to mobile apps than the “principle of least privilege” (PLP) would allow All of these unsafe programming or administrative practices leave mobile apps overly open to attack and potential compromise. The report analyzed over 3,000 mobile apps and reported some scary statistics – namely: 63% of apps included known security vulnerabilities, with an average of 39 vulnerabilities per app, of which 44% were rated “high risk,” 94% of which had publicly documented fixes, and 73% of which has been reported two or more years ago. Thousands of sensitive data items were exposed in the application code, including over 2K passwords, tokens and keys, over 10K email addresses, and nearly 400K IP addresses and URLs. Use of overly powerful device permissions showed just over 33K instances of normal permissions, with just over 15K of sensitive permissions, and just over 10K of permissions “not intended for third-party use.” What Can (and Should) Mobile Developers Be Doing? […]

Published June 17, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel On or about May 7, 2021, Colonial Pipeline had to shut its pipelines down because of a ransomware attack. Colonial is a major fuel pipeline operator in the southern and eastern US. Its pipelines stretch from Texas to New Jersey, and reach into Louisiana, Mississippi, Alabama, Georgia, both Carolinas, Tennessee, Virginia, Maryland and Pennsylvania. After a week of downtime that saw gas shortages in many of the more eastern states just mentioned, the company announced on May 12 it was restarting pipeline operations. By May 15, those operations had more or less returned to normal. One burning question remains: What happened? Understanding The Colonial Pipeline Ransomware Attack A Word from Joseph Blount, Colonial Pipeline’s CEO In an interview with the Wall Street Journal, Blount recounted he authorized a ransom payment of $4.4 million. He did so because company executives, in the words of the WSJ story, “were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.” According to the WSJ, “Colonial Pipeline provides roughly 45% of the fuel for the East Coast…” Essentially Colonial Pipeline chose to disregard long-standing advice from the FBI and other law enforcement agencies not to pay ransom demands in such situations. Blount demurred and is quoted as saying he authorized payment because “…it was the right thing to do for the country.” More About the Attack Security experts are in agreement with US government officials who attribute the attack to a criminal gang based in eastern Europe named DarkSide. This shadowy organization builds malware to attack systems for extortion, and shares the proceeds obtained from its ransomware with affiliates who actually foist the attacks that see its ransomware take over business and government systems all over the world. As reported in the WSJ story, Colonial worked with experts who had prior experience dealing with the organization behind the attack. That said, the company declined to share details on the negotiations involved in making the payment, or how much of its losses might (or might not) be covered by its cyber insurance coverage. Once the attackers received payment, they provided a decryption tool to unlock affected systems. To underscore law enforcement advice, Colonial also disclosed that the decryption key did not provide everything needed to restore its systems to normal operation. According to CNN, and contrary to many other reports, the sponsoring Darkside organization is not “believed to be state-backed.” Instead Lior Div, CEO of cybersecurity firm Cybereason, describes DarkSide as a “private group that was established in 2020.” That said, consensus is emerging that DarkSide operates in Russia for two compelling reasons. According to CNN, “its online communications are in Russian, and it preys on non-Russian speaking countries.” Div is further quoted as saying “Russian law enforcement typically leaves groups operating within the county alone, if their targets are elsewhere.” DarkSide runs what CNN and other call a “ransomware-as-service” business. That it, it builds tools that it makes available to other criminals, who then use […]

Published June 10, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel In early April, numerous sources disclosed discovery of a pool of Facebook records including information on more than 530 million of its users. The leaked information included users’ names, dates of birth, and phone numbers as posted to a website for hackers. Business Insider’s (BI) April 3 story represented some of the first reporting on this breach, and focused on a database that security researcher Alon Gal of cybercrime intelligence firm Hudson Rock discovered in January 2021. BI reports further that it “reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with IDs listed in the data set.” Facebook’s Response and Explanation The BI story states that a “Facebook spokesperson told Insider that the data has been scraped because of a vulnerability that the company patched in 2019.” Scraping attacks involve downloading account pages from a Website and parsing their contents to discover personal information amongst the data the underlying Web markup contains. The vulnerability involved was based on the ability to import contact lists from users’ cellphones (with their permission) to extend friend lists and associated data. But while the vulnerability is no longer open to current exploit, even PII (personally identifiable information) data from 2019 can serve as entry points for various types of attack, including impersonation, identity theft, targeted phishing, and potential fraud. According to numerous sources who’ve analyzed the database in question, users from 106 countries are included in its contents. Of the over 500 million users represented therein, over US-based users number 32 million, with 11 million more from the UK, and an additional 6 million from India. For most users, their data includes Facebook IDs, phone numbers, full names, locations, dates of birth, and self-descriptions (bios). For some users, email addresses are also disclosed. How the Breach Was Identified Mr. Gal found the leaked data in January when a hacking forum users advertised a bot that could provide phone numbers for hundreds of millions of Facebook users at a price. At around that same time, Joseph Cox at Motherboard reported the existence of this automated Telegram bot, with a proof of function demo, with charges ranges from US$20 to get information for a single user account, and up to US$5K for 10,000 users. Motherboard reports it tested the bot and confirmed that it provides a valid phone number for a Facebook user known to them who elected to keep that number private. The exploit was documented in 2019 for Instagram users (Instagram is a subsidiary of Facebook) and included this statement “It would … enable automated scripts and bots to build user databases that could be searched, linking high-profile or highly-vulnerable users with their contact details.” This is apparently just what the database that Gal discovered contains. Since his initial findings in January, that database has been posted to a hacking forum at no charge. Thus, it’s available to anyone able to access the site. And indeed it could provide ample data to drive attacks even […]

Published June 3, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The COVID-19 pandemic drove many companies to rapidly expand their support for remote work. This change was not simply to appease a changing workforce; it was simply to survive. When most of the workforce was suddenly told to stay home, many organizations had to either adapt or cease to exist. The increased reliance on transforming previously manual or hybrid procedures to purely digital ones required updated (or completely new) applications, supporting software and infrastructure. Digital transformation was no longer an aspirational goal — it became a survival necessity.  Let’s look at some fundamental changes the pandemic forced on companies and consumers, and how those changes affect all aspects of doing business today, including software development organizations developing secure application security in a decentralized world. Digital transformation plans were accelerated Prior to 2020, face-to-face interactions were not only the norm, but also the preferred way to communicate and carry out business. While a growing number of younger workers and consumers who preferred digital interaction were encouraging digital communication to gain popularity, total adoption was a long way off.  Digital transformation (DT) is the common term used to represent the process of replacing manual business processes or services with digital processes. The push for DT was underway in 2020, but only as it aligned with long-term strategy. A few existing companies and many startups relied on digital processes, but most companies approached DT conservatively. After all, the requirement to produce revenue today trumped the desire to innovate for the future. Once the pandemic hit, companies of all types suddenly had to carry on unhindered without face-to-face interactions. Some companies were built on the concept of offices full of workers. Others depended on the ability to serve a steady flow of physical customers. Regardless of the business model, the disruption of face-to-face interaction required solutions where technology could provide the connection. One of the first shifts was to simulate the business meeting, customer interactions or even the classroom. Zoom went from a video conferencing tool to a generic term for an online meeting. The term can even be used as a verb, as in “I’ll Zoom you.” COVID-19 shifted DT from a long-term strategic goal to a survival requirement. Although all companies could not simply “go digital,” many could. Restaurants, airlines, hotels and a long list of other service-oriented companies had to undergo radical transformations. Other types of companies, such as insurance companies, software development organizations and banks, could continue operations, but had to find a different way. Reliance on face-to-face interactions had to defer to digital transactions. Customer service was required to rise to the occasion and provide an acceptable level of service using remote workers and digital connections. Some companies, like Amazon, were up to the challenge. After all, they were already relying on a decentralized model for much of their business process. They encountered challenges at their warehouses that relied on many human workers, but the rest of their organization had already embraced digitization and automation. Other organizations were not as fortunate and had to accelerate their digital […]

Published May 27, 2021 WRITTEN BY MICHAEL SOLOMON Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce that, among other things, maintains physical science laboratories and produces guidance for assessing compliance with a wide range of standards. NIST has a long history of providing documents that help organizations and agencies assess compliance with cybersecurity standards and implement changes to strengthen compliance and security. The NIST Special Publication (SP) series provides “guidelines, technical specifications, recommendations and reference materials, comprising multiple sub-series.” One sub-series, SP 800, focuses on cybersecurity, specifically containing guidelines for complying with the Federal Information Security Modernization Act (FISMA). (If you are interested in digging further into NIST cybersecurity offerings, check out the relatively new SP 1800 cybersecurity practice guides as well.)  How NIST SP 800-53 Revision 5 Affects Application Security NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations,” provides guidance for selecting the most effective security and privacy controls as part of a risk management framework. The latest revision of NIST SP 800-53, revision 5, was released on September 23, 2020. Revision 5 includes requirements for RASP (runtime application self-protection) and IAST (interactive application security testing). While these approaches to application security are not new, making them a required element of a security framework is a first. Let’s examine how NIST SP 800-53 revision 5 affects the secure application development process. What NIST SP 800-53 contains The initial version of SP 800-53 was released in 2005, titled “Recommended Security Controls for Federal Information Systems.” SP 800-53 always focused on federal information systems, at least up through revision 4. Then, revision 5 dropped the word “federal” from its title. That means SP 800-53 is now a more general guidance document that applies to commercial information systems as well as federal systems. This may seem to be a minor change, but it really means that NIST just expanded the scope of their recommendations. SP 800-53 isn’t a mandate at all, but it does signal a strengthening of guidance from the federal government for non-federal environments. SP 800-53 contains a catalog of security and privacy controls, organized into 20 control families. Chapter two of SP 800-53 “describes the fundamental concepts associated with security and privacy controls, including the structure of the controls, how the controls are organized in the consolidated catalog, control implementation approaches, the relationship between security and privacy controls, and trustworthiness and assurance.” The other major chapter of SP 800-53, chapter three, includes a catalog of security and privacy controls, each of which includes a discussion of that control’s purpose and how it fits into a layered security approach. The goal of SP 800-53 is to provide a consolidated guidance document that describes security and privacy controls, how they are related to one another, and how to best select, deploy and assess the controls required for specific use cases. What revision 5 means to application security Although SP 800-53 revision 5 provides general guidance for selecting security and privacy controls, a noticeable portion of changes since revision 4 focus on software. As […]

Published May 20, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel 2020 was a year to remember, and that many would like to forget, for a variety of reasons ranging from the largest global pandemic since the Spanish Flu of 1918, to political turmoil in the USA over a fractious Presidential race, to economic and employment dips of epic proportions. And indeed, 2020 also came with a number of record-setting security breaches, nearly all of which involved the cloud in some form or fashion. In fact, there are numerous top 10 security breach collections among which to choose. One in particular is worth reciting, and then reflecting on the cloud’s presence in that itemized list. PCR is a leading information source for IT resellers and distributors in the United Kingdom. It reports its top 10 based on the number of records breached in the incidents selected. They cite the Risk Based Security Report to observes that nearly 3K breaches were reported just for Q1 2020, and the number records exposed at 36 billion (for the whole year of 2019, “only” 15 billion records were exposed). Here’s their top 10 list with some annotations and reflections, in ascending order by number of records breached: 10. Unknown source (201M): In January, 2020, security researchers found a database containing over 200M sensitive personal records online. The compromised host was on the Google Cloud Platform, so though the source or owner of the data remains unidentified, there’s no disputed that this collection of US personal and demographic data has a definite cloud connection. After Google was alerted to the matter, it took the server down over a month later. 9. Microsoft (250M): In January, 2020, MS itself reported a data breach on servers storing customer support analytics in its Azure Cloud. The records involved included email and IP addresses, plus support case details, stored on 5 ElasticSearch services, inadvertently disclosed owing to misconfigured security rules. 8. Wattpad (268M): In June, 2020, records belonging to this Canadian website and app for writers used to publish user-generated stories and text were exposed (later reports raise the count to 271M records). Malicious actors compromised the company’s SQL database which contained account information, email and IP addresses, and other personal data. Reports on this breach do not mention a specific cloud connection, but the site’s current DNS information appears to show it is hosted by Amazon Web Services (a definite cloud connection). 7. Broadvoice (350M): A US provider of Voice over IP (VoIP) services to business, October, 2020, reports confirm exposure of 350 million customer records from this company. Data disclosed includes names, phone numbers, and call transcripts, including calls to medical and financial services providers. Owing to a configuration error, security researchers were able to access ten of the company’s databases without providing access credentials. Broadvoice changed the configuration and notified relevant legal authorities. It’s not clear that these databases were cloud-based, though it’s hard to imagine a VoIP company NOT doing business in the cloud. 6. Estée Lauder (440M): In January, 2020, the company had an unprotected, unencrypted […]

Published May 13, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel RASP is an initialism for runtime application self-protection. It’s a technology designed to boost application software security by monitoring inputs to running applications. RASP screens all such inputs, and blocks those that could be associated with potential attacks. RASP also protects various aspects of an applications runtime environment, and prevents changes to environment variables, access controls and privileges, and so forth. Gartner’s IT Glossary defines RASP as follows: “a security technology that is built or linked into an application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.” Numerous security companies offer RASP add-ins for widely used runtime environments, such as the Java Virtual Machine Specification and the .NET Common Language Runtimeli. In fact, developers generally choose to buy RASP tools from such third parties instead of building their own implementations. Putting RASP to Work When integrated into an application’s run-time, RASP incorporates security checks into supporting server environments. That is, RASP intercepts inputs sent to the application for screening, and either allows acceptable inputs or denies questionable or malicious inputs to actually reach the application. RASP also includes built-in logging and monitoring facilities so it can keep track of what it’s doing, and make sure its actions are appropriate and secure. RASP implementations seek to maximize valid interceptions (by preventing malicious or insecure inputs from obtaining application access). At the same time, RASP monitoring — and related updates from its makers — also seeks to avoid invalid interceptions (preventing legal and benign inputs from accessing the application). Ultimately, it makes sense to understand RASP as a validation tool for inputs and data requests made to applications inside their runtime environments. RASP Is An All-Purpose Technology Because it’s a plug-in that works with a range of runtime environments, RASP can handle both web-based and traditional (standalone executable-based) applications. Once present, RASP brings protection and detection capabilities to servers where targeted applications run. In addition, because RASP sees the overall application state and context, it does not work at the packet level as do application firewalls. RASP generally has a nuanced and informed view of application and input states across current ongoing interactions. A stateful view of application inputs gives RASP more scope and flexibility for protection. It can exhibit a variety of behaviors as it detects unwanted actions or malicious inputs that match security rules or policies in its knowledge base. An example of such behaviors, ordered by increasing order of severity, can include: Denial of offending input, with a warning message to the sending user Issue alerts for named recipients when offending inputs occur (usually administrators or security team members) Terminate user session upon offending input Terminate application upon offending input (does not otherwise impact the host server, and other services or applications) RASP implementations generally plug into existing server frameworks and runtime modules. Thus, they integrate with a  program’s code, associated libraries and API calls. Such integration is what gives RASP the ability to handle inputs in real-time as an application is executing. […]

Published May 06, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel The best tool for securing use of application programming interfaces (APIs) – including those employed for AI programming – may be AI itself. Artificial intelligence is extraordinarily adept at modeling how APIs get used. This means that AI models can continuously examine and analyze API activity. This provides an opportunity to address oversights and issues that policy-based API coverage cannot handle. The timing on this technology is fortuitous, because Gartner predicts that API abuses will represent the most frequent attack vector that results in data breaches within enterprise web-based applications. These days, says InfoWorld, enterprises make use of authentication, authorization and throttling capabilities to manage APIs. Such tools are vital in controlling who accesses APIs within an enterprise IT environment. But these approaches do not address attacks that survive such filtering and scrutiny because of clever attacks embedded within apparently legitimate API calls and uses. Nowhere is this as apt as for AI programming itself, which represents a substantial and increasing share of programming activity within enterprises nowadays. Within an organization, it’s typical to use API gateways as the primary way to call and use APIs. Such gateways can enforce API policies by checking inbound requests against rules and policies that relate to security, throttling, rate limits, value checks, and more. In this kind of environment, both static and dynamic security checks can be helpful, and improve security within the applications they serve. Static Security Checks and Policies Static policy checks work well for quick simple analyses because they do not change with request volume or previous request data. Static security scans work well to protect against SQL injection attacks, cohesive parsing attacks, schema poisoning attacks, entity expansion attacks, and other attacks that depend on clever manipulation of APIs inputs. Static policy checks work when scanning incoming packet headers and payloads, and can match against already-known access patterns associated with attacks. This permits, for example, JSON payloads to be validated against predefined JSON schemas, and can screen against injection attempts of various kinds. An API gateway can also enforce element count, size, and text pattern limits or filters to forestall attempted buffer overflow or illegal command injections. Dynamic Security Checks and Policies Dynamic security checks, as the name implies, work against inputs and behaviors that can change. Typically, this means that inputs must be validating against some notion of state or status, as defined by previous inputs and data associated with them. Most often dynamic checks reflect the volume or frequency of API traffic and requests at the gateway. For example, throttling techniques depend on tracking previous activity volume to limit access when the number of prior API requests exceeds some predetermined (but adjustable) threshold. Rate limiting works in similar fashion – by curbing concurrent access allowed for some particular service or resource. While techniques based on authorization, authentication, throttling and rate limiting can be helpful, they do not address all the ways in which APIs might be attacked. Because API gateways typically serve numerous web services, their attendant APIs may […]

Published Apr 29, 2021 WRITTEN BY ED TITTEL. Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel Although the term says “serverless,” serverless applications don’t really run without any servers involved. Rather, serverless applications run inside cloud-based infrastructures so that developers and operators need no longer stand up and run their own servers, virtual or physical. That is, the application still runs on a server, but the responsibility for server management falls on the cloud service or cloud platform provider instead. That means that organizations need not themselves provision, scale, manage and maintain servers on which their applications run – they use a serverless architecture to build, test, deploy and run their applications and services for clients, customers, end-users, and so forth. AWS Lambda, for example, is a serverless service that includes automatic scaling, with high availability baked into the runtime environment, charged on a pay-for-value basis. As is typical for cloud-based runtime environments, serverless applications adhere to what’s often called a “shared security model.” Following this model means that the cloud provider is responsible for the security of the cloud while those who host their applications are responsible for security of their application  in the cloud. When organizations adopt serverless technologies, the responsibility that the cloud or application provider assumes climbs up the stack to include operating system and networking security for the servers it operates on which the organization’s serverless application runs. Theoretically this means that the job of security is easier for serverless applications than for cloud-based applications where the operating organization also stands up underlying virtual infrastructures. In fact, Amazon recommends (and most other cloud service and platform providers concur) that companies adhere strictly to the Principle of Least Privilege (PLP) and also follow best practices for securing their serverless applications. They recommend their own identity and access management (IAM) platform to secure and manage access to their services and resources, but similar capabilities are available from all of the major cloud platform providers including Azure, Google, Oracle, IBM, Alibaba and others as well. Proper use of identity and access management technology is indeed key to securing serverless applications. This includes access controls through accounts and groups or job roles, and specific constraints on how users may interact with serverless applications. These might pertain to days of the week, times of the day, originating IP addresses, as well as require use of SSL or other secure protocols, and even require multi-factor authentication (2FA or better) before allowing access to proceed. In addition, most cloud platforms’ identity and access management tools support access auditing and reporting, so the organization’s security team and administrators can confirm that prevailing policies provide only authorized public and private accounts with appropriate access to applications and their resources. In fact, organizations should use this reporting to tweak and adjust their security policies to enable access only to services in use, following PLP. Multi-Factor Authentication (MFA) makes most sense for privileged accounts and access (administrators, developers, architects and security staff) so that privileged access is available only to those who provide a hardware MFA device, or who use an authentication app […]