• Dana Epp

Serverless platform security in Azure Functions

I'm a big fan of serverless compute, especially in Azure with Azure Functions. The idea of using serverless computing is so appealing as an ISV, as I don't have to fret about servers, infrastructure and operating systems... they are managed for me.

However, that doesn't mean I can abdicate responsibility when it comes to security. It's important to understand than in a shared responsibility model like what is handled in the public cloud, knowing where my responsibilities begins and ends is paramount.

Microsoft recently published "Azure Functions and serverless platform security", a document outlining the security considerations for serverless computing. It's worth the read.

It includes several key concepts that everyone should understand, including:

  • Injection flow in Azure functions

  • Fragmented authentication

  • Privilege and role considerations

  • Monitoring and logging

  • Data flow and data security considerations

  • Exception handling

Along with that guidance includes a whole section on how to secure the Microsoft serverless platform that you deploy.

Good stuff. Thanks for the continued documentation Microsoft. Love seeing this sort of thing!