The Doppler Quarterly Fall 2019 | Page 24

It is critical for customers in regulated industries to validate that the services and appli- cations utilizing serverless technology comply with their regulatory standards. Developing the Serverless Cloud Security Reference Architecture Figure 2 shows the structure of one portion of the security and risk management (SRM) domain within the SRA. The total SRA consists of six domains: 1. Security and Risk Management (SRM) 2. Information Technology Operation and Support (ITOS) 3. Business Operation Support Services (BOSS) 4. Information Services 5. Infrastructure Services 6. Application Services and Presentation Services Each domain is made up of a high-level, mid-level and low-level security capability. The low-level capabilities may have multiple controls applied to them. A small portion of the SRA is shown in Figure 2. Security and Risk Management Domain High Level Capability Privilege Management Infrastructure Identity Management Domain Unique Identifier Federated IDM SAML Token Risk Based Authorization OTP Identity Provisioning Attribute Provisioning Multifactor Authentication Smart Card Password Management Middleware Authentication Single Sign On Authorization Services Low Level Capability Authentication Services Policy Enforcement Policy Definition Policy Management Principal Data Mgmt. Resource Data Mgmt. Role Management Privilege Usage Management Keystroke / Ses- sion Logging Password Vaulting Privilege Usage Gateway Figure 2: SRA domain subset with capability levels We analyzed all domains in the SRA, and identified capabilities that are either: • Applicable to serverless • Impacted by the technology • Not applicable The following illustrates how this analysis was performed: • Applicable capabilities: In the Security and Risk Management (SRM) domain’s Privilege Management Infrastructure high-level capability, we found that all mid-level capabilities, such as Identity Management, Authentication Services, Authorization Services and Privilege Management, are applicable to serverless. 22 | THE DOPPLER | FALL 2019 Mid Level Capability