It is critical for customers in regulated industries to validate that the services and appli-
cations utilizing serverless technology comply with their regulatory standards.
Developing the Serverless Cloud Security Reference Architecture
Figure 2 shows the structure of one portion of the security and risk management (SRM)
domain within the SRA. The total SRA consists of six domains:
1. Security and Risk Management (SRM)
2. Information Technology Operation and Support (ITOS)
3. Business Operation Support Services (BOSS)
4. Information Services
5. Infrastructure Services
6. Application Services and Presentation Services
Each domain is made up of a high-level, mid-level and low-level security capability. The
low-level capabilities may have multiple controls applied to them. A small portion of the
SRA is shown in Figure 2.
Security and Risk Management
Domain
High Level
Capability
Privilege Management Infrastructure
Identity Management
Domain Unique Identifier Federated IDM SAML Token Risk Based
Authorization OTP
Identity Provisioning Attribute Provisioning Multifactor
Authentication Smart Card Password
Management
Middleware
Authentication Single Sign On
Authorization Services
Low Level
Capability
Authentication Services
Policy Enforcement Policy Definition
Policy Management Principal Data Mgmt.
Resource Data Mgmt. Role Management
Privilege Usage Management
Keystroke / Ses-
sion Logging
Password
Vaulting
Privilege Usage
Gateway
Figure 2: SRA domain subset with capability levels
We analyzed all domains in the SRA, and identified capabilities that are either:
• Applicable to serverless
• Impacted by the technology
• Not applicable
The following illustrates how this analysis was performed:
•
Applicable capabilities: In the Security and Risk Management (SRM)
domain’s Privilege Management Infrastructure high-level capability, we found
that all mid-level capabilities, such as Identity Management, Authentication
Services, Authorization Services and Privilege Management, are applicable
to serverless.
22 | THE DOPPLER |
FALL 2019
Mid Level
Capability