How Request Pricing Affects Security

Request-based pricing also has a big impact on application security. Modern server-side applications usually run some kind of a gatekeeper process to control user requests and dispatch work. That process needs access to all the back-end services and all the databases and all the resources. It’s possible to secure such processes tightly, but it’s a big hassle. Most web servers usually run with database privileges that provide full access to everything. If someone breaks into that process, the gates are completely open. With serverless deployments, security is much easier to control. Because there is no financial incentive to bundle tasks into a single application to reuse resources, each Lambda function can do a focused task and work under significantly restricted access privileges. It becomes easy to apply the principle of least privilege, allowing a task to only access the resources and information required for its purpose. This helps with reducing the security blast radius in case of vulnerable third-party dependencies or hacks.

Example: Security vulnerability in Intel processors #

With pricing focused on requests, applications tend to be optimised for transient environments and dynamic infrastructure. The infrastructure provider can easily remove and replace underlying systems without interrupting application work. This has major implications for security patches. One day in August 2018, we got an email from a concerned client’s IT administrator. He was asking about our plans to mitigate a security vulnerability in Intel processors, something that had hit the news the previous night. I pasted the security bulletin reference into Google to find out more details about the problem, and one of the first results was Amazon’s announcement that Lambda was already patched. We didn’t have to do anything. Because the service provider takes care of containers, it was able to easily drain traffic from old versions, send new requests to patched containers, and just manage the whole thing for us.

In the next lesson, you’ll see how request pricing affects product decisions.