Alex - stock.adobe.com
A startup providing AI-based cloud services to financial customers favors serverless computing for security, despite the challenges of translating ISO and SOC 2 audit requirements for the cloud-native architecture.
CrossBorder Solutions began to seek certification under the American Institute of CPAs' Service Organization Control (SOC) 2 and the Information Organization for Standardization (ISO) 27001 programs for its cloud-based products in 2019. While it isn't required by law to demonstrate compliance with these programs, the company saw a business advantage in demonstrating to its highly regulated customers that it was compliant with those standards.
"We did the certifications to help clients understand that we're safe to do business with," said James Ford, who served as the company's chief security architect from 2019 until October 2021. "SOC requires [them] to do vendor risk management, [which is] basically making sure all your vendors ... are more or less doing ISO and SOC."
The problem with this, at first, was that the company also ported its entire IT environment in early 2020 to AWS, which provides services that don't require IT teams to manage virtual machine resources -- also known as serverless computing. These include AWS Lambda function as a service, along with the AWS Fargate managed container service, Aurora database as a service, application load balancers and CloudFront CDN.
"Serverless does not equate to infrastructure-less," Ford said. "What it really makes difficult is trying to explain to the auditor what you don't do and what you don't have control of."
ISO, SOC 2 audits require people and policy plans
Ford said he believes CrossBorder was among the first companies to receive SOC 2 certification in a fully serverless environment, but the process ultimately involved more of a focus on people and process issues than technological problems.
First, there was the work required to help IT compliance auditors understand cloud services that didn't fit what ISO and SOC 2 controls were originally designed to describe: private data centers that contain servers.
"It's a lot of talking to the auditor and talking them off the ledge at some level," Ford said. "You absolutely have to work with the auditor on each and every service."
Ford said he engaged with several auditing firms before choosing one to use for the ISO 27001 and SOC 2 certifications, to ensure that they were comfortable with the serverless approach. Bringing auditors up to speed on cloud-native technologies has long been a headache for companies as they move to the cloud, but by now, most auditors have at least grown accustomed to working with IaaS environments and DevOps pipelines, Ford said.
Still, serverless computing involved some concepts that were relatively new. For example, the AWS Cognito identity management service CrossBorder uses with its customer-facing applications takes an approach to sign-in failures that's different from what's described in standard audit frameworks.
"You'll get things in the audit where they want to see that you're blocking a user after five failed logins, but [Cognito uses a system where] by the time you get to five failed logins, the user is [put] in up to a 15-minute lock-out between attempts," Ford said. "You have to spend some time explaining, 'Well, no, that's not how that works. ... But it's giving you the equivalent of what you're looking for from a control point of view.'"
AWS has also developed tools to help companies enforce and demonstrate security in its cloud, such as Control Tower and Account Factory, which centralize the control of multiple AWS accounts and enforce security best practices between them. The AWS Security Hub pulls in logs from all of CrossBorder's accounts and scores them according to their compliance with Center for Internet Security and AWS best practices benchmarks, which Ford said he was able to use to satisfy ISO audit requirements for specific security key performance indicators.
While SOC 2 certification documented for customers that CrossBorder was following general IT security best practices, ISO 27001 provided a more prescriptive list of controls the company could use to tie SOC 2's high-level concepts to specific practices, Ford said.
"When you're doing SOC, these things are good suggestions, but when the ISO audit comes, they're no longer suggestions, they are audit points," Ford said. "'How did you solve for A? How did you solve for B?'"
Translating ISO 27001 and SOC 2 requirements for serverless computing presented an initial challenge. Once past that early stage of the audit process, however, Ford said the bigger task was demonstrating that the company was following best practices in how it organized people and processes.
"There's a lot of policies and procedures you end up having to author to go ahead and prove that you're following the program" under ISO 27001, Ford said. "And then the big trick there is making sure you write it in such a way that you have a method to generate proof that you're doing it."
The upsides of serverless security
Ultimately, Ford said, the initial work to prepare auditors to assess serverless environments is more than balanced by serverless security benefits.
James FordFormer chief security architect, CrossBorder Solutions
"You may have an unproductive week because you spent 40 hours talking to the auditor to get them through the process," he said. "But that seems like a fair trade-off against spending 52 weeks managing a bunch of extra layers of infrastructure."
Eliminating server instances from the audit equation means both IT pros and security and compliance teams at the company can focus more on business logic, whether that's application-level security or human resources audit requirements, Ford said.
This also encourages the use of ephemeral and immutable infrastructure practices and automated deployments through CI/CD pipelines, all of which have security advantages over server-based practices, Ford said.
"I love that with serverless you don't have to worry as much about persistent threat actors," he said. "For somebody to compromise one of your containers ... by the time they get in there, you've either destroyed it or it's been replaced. [Attackers] are going to go after long-running VMs [instead]."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.