Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

Download Publication

Home
Publications
How to Design a Secure Serverless Architecture 2021
How to Design a Secure Serverless Architecture 2021
Who it's for:
  • application developers  
  • security professionals  
  • CISOs  
  • system and security administrators  
  • information system security officers  

How to Design a Secure Serverless Architecture 2021

Release Date: 09/14/2021

Working Group: Serverless

This is an old version of the document. Check out the 2023 version here.

Like any solution, serverless computing brings with it a variety of cyber risks. This paper provides best practices and recommendations for securing serverless applications. It offers an extensive overview of the different threats, focusing on the application owner risks that serverless platforms are exposed to and suggesting the appropriate security controls.

The document assumes that the readers have some knowledge of coding practices, security and networking expertise, and application containers, microservices, functions, and agile application development.

Key Takeaways: 

  1. What is Serverless
  2. Advantages and benefits of serverless architecture
  3. Shared responsibility model for serverless
  4. Security design, controls and best practices
  5. Kubernetes security best practices 
  6. CI-CD pipelines, Function Code, Code scans and policy enforcement for Functions and Containers    
  7. Compliance and governance for serverless
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources

Related Resources

PublicationsBlogs
Defining the Zero Trust Protect Surface
Defining the Zero Trust Protect Surface
Download Now
How to Design a Secure Serverless Architecture
How to Design a Secure Serverless Architecture
Download Now
An Agile Data Doctrine for a Secure Data Lake
An Agile Data Doctrine for a Secure Data Lake
Download Now
View all publications
Building a SOC for Compliance
Building a SOC for Compliance
Published: 04/11/2024
The Secret to Supercharging LLMs: It's Not Answers, It's Questions
The Secret to Supercharging LLMs: It's Not Answers, It's Questions
Published: 04/10/2024
The Modern Data Stack Has Changed the Security Landscape
The Modern Data Stack Has Changed the Security Landscape
Published: 04/05/2024
CSA Turns 15: Kicking Off the Next 85 Years of Cloud Security Excellence
CSA Turns 15: Kicking Off the Next 85 Years of Cloud Security Excel...
Published: 04/04/2024
View all blogs
View all webinars

Acknowledgements

Aradhna Chetal
Aradhna Chetal
Senior Director Executive- Cloud Security

Aradhna Chetal

Senior Director Executive- Cloud Security

Aradhna serves as a Senior Director Executive- Cloud Security at TIAA, a financial services company. She is responsible for the cloud security vision, strategy, standards, security patterns for a multi-cloud hybrid enterprise and engineer security solutions, to support the vision. Aradhna has worked in various Cybersecurity leadership roles at JP Morgan Chase, Boeing Company, Microsoft & T-Mobile.

Aradhna is an active member in the cy...

Read more

Vishwas Manral
Vishwas Manral
Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas Manral

Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas is the Founder at Precize Inc, a stealth Cloud and AI security startup. Vishwas is also the co-chair of CSA’s Serverless Working Group and the Chair of Cloud Security Alliance in Silicon Valley. He was the head of Cloud Native security and Chief Technologist at McAfee Enterprise + FireEye. Vishwas joined McAfee Enterprise when his com...

Read more

Madhav Chablani Headshot Missing
Madhav Chablani
Consulting CIO, TippingEdge Consulting

Madhav Chablani

Consulting CIO, TippingEdge Consulting

This person does not have a biography listed with CSA.

Peter Campbell
Peter Campbell
Chief Information Security Officer, Cigna

Peter Campbell

Chief Information Security Officer, Cigna

Cloud Security Engineering leader responsible for security engineering and security innovation. Enables new and untried technologies, runs proof of concepts, designs and engineers security configurations and enables the business to leverage new technology safely. Led the creation of Cigna’s security assurance framework which ensures that the security vision is consistently executed. Current research focuses on the domains of sec...

Read more

Vani Murthy
Vani Murthy
Sr. Information Security Compliance Advisor, Akamai Technologies

Vani Murthy

Sr. Information Security Compliance Advisor, Akamai Technologies

Vani has 20+ years of IT experience in the areas such as Security, Risk, Compliance, Cloud services (IaaS/PaaS/SaaS) architecture

Read more

Ricardo Ferreira
Ricardo Ferreira
EMEA CISO

Ricardo Ferreira

EMEA CISO

This person does not have a biography listed with CSA.

John Wrobel Headshot Missing
John Wrobel

John Wrobel

This person does not have a biography listed with CSA.

Shobhit Mehta
Shobhit Mehta

Shobhit Mehta

Shobhit Mehta is a distinguished professional with over 12 years of expertise in Governance, Risk, Compliance, and Privacy frameworks, with notable experience in the security and privacy domains. His illustrious career has seen him contribute significantly to organizations such as PayPal, HSBC, Deutsche Bank, Credit Suisse, and Fidelity Investments, where he played pivotal roles in ensuring the integrity and security of critical systems and...

Read more

John Kinsella Headshot Missing
John Kinsella

John Kinsella

This person does not have a biography listed with CSA.

Elisabeth Vasquez Headshot Missing
Elisabeth Vasquez

Elisabeth Vasquez

This person does not have a biography listed with CSA.

Brad Woodward Headshot Missing
Brad Woodward

Brad Woodward

This person does not have a biography listed with CSA.

David Hadas Headshot Missing
David Hadas

David Hadas

This person does not have a biography listed with CSA.

Akshay Mahajan Headshot Missing
Akshay Mahajan

Akshay Mahajan

This person does not have a biography listed with CSA.

Anil Karmel
Anil Karmel
CEO, C2 Labs

Anil Karmel

CEO, C2 Labs

Anil Karmel is the Co-Founder and CEO of RegScale, which helps organizations start and stay compliant via the world's first real-time GRC platform. Formerly, Anil served as the National Nuclear Security Administration's (NNSA) Deputy Chief Technology Officer. Karmel began his government career as a Technical Staff Member of Los Alamos National Laboratory (LANL) and was responsible for inventing their cloud and collaboration technologies Kar...

Read more

Alex Rebo Headshot Missing
Alex Rebo

Alex Rebo

This person does not have a biography listed with CSA.

Dr. Vrettos Moulos
Dr. Vrettos Moulos

Dr. Vrettos Moulos

Dr. Vrettos Moulos is a senior research software engineer in Institute of Communication and Computer Systems in Greece. He holds a PhD in secure microservice architecture patterns from the School of Electrical and Computer Engineering of the National Technical University of Athens (NTUA).

He has been a member, for more than 10 years, of software development teams creating mission critical applications (rule-based decision systems, sec...

Read more

Abhishek Vyas
Abhishek Vyas
Head of Security Consultancy and Architecture

Abhishek Vyas

Head of Security Consultancy and Architecture

I have been working in Cybersecurity for over 10 years, and have been working on large scale multi-cloud programs in the Software and Finance industries over that period. I deliver business value through robust, scalable, fit for business cybersecurity, by establishing new ways of working to help the business to innovate. Challenging the status quo to help remove inertia, and ensuring that cybersecurity remains relevant and mea...

Read more

Eric Matlock Headshot Missing
Eric Matlock

Eric Matlock

This person does not have a biography listed with CSA.

Raja Rajenderan Headshot Missing
Raja Rajenderan

Raja Rajenderan

This person does not have a biography listed with CSA.

Namrata Kulkarni
Namrata Kulkarni
Cyber Security Architect

Namrata Kulkarni

Cyber Security Architect

This person does not have a biography listed with CSA.

Marina Bregkou
Marina Bregkou
Senior Research Analyst, CSA EMEA

Marina Bregkou

Senior Research Analyst, CSA EMEA

This person does not have a biography listed with CSA.

Amit Bendor Headshot Missing
Amit Bendor

Amit Bendor

This person does not have a biography listed with CSA.

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Join this Working Group
View all Working Groups

Related Certificates & Training