There are many different levels to application security. When running in a traditional data center, you are responsible for the entire security stack, top to bottom. When running in the public cloud, you move towards a shared responsibility model with your cloud vendor, where part of the security controls are handled by the vendor.
The different layers of security can be viewed as the following list:
- Physical
- Host infrastructure
- Networking
- Application level:
- Authentication and authorization
- Code quality
- Data encryption:
- Encryption in transit
- Encryption at rest
- Managing keys and secrets
- Administrative access
The level of responsibility of the cloud provider versus the client depends on the hosting model you are using--IaaS, PaaS, or SaaS. IaaS requires the highest involvement on the client's part, and SaaS requires the least. This chapter will review security controls in the context of serverless computing, which is a part of the PaaS family.