Staying Safe in Times of Cyber Uncertainty

What is Azure Functions?

Azure Functions is an automated developer tool hosted in Microsoft Azure. It is a fully managed on-demand service that requires no additional skills and training to use the service – you simply deploy the function and execute your job. Functions use serverless tasks that automatically respond to an incident; triggers such as a change in a data stream or data from a message queue can spawn an intelligent response from Azure.

It’s important to ensure that any Azure public resources are well protected, especially when running Function Apps. And due to the nature of the Function App, having robust security is critically important, especially if the Function App is pushing or pulling data to and from local resources.

In this article, we will discover what an Azure Function is and how it works, and why enforcing cloud-native security is critical for Function Apps to mitigate risk and improve your business’s cloud security posture.

Request A Demo Serverless Advantage eBook

What is Azure Functions?

Azure Functions Definition

Azure Functions presents developers with a cloud platform to write and natively execute code. Code is processed near-instantly using the Azure Serverless Functions compute offering. There is no need to worry about infrastructure hosting with Azure Functions, and there is no requirement to have your own server to test code. Best of all, you are only charged when the code is running.

Azure Functions can be created directly in the Azure Portal or integrated into your favorite development tools such as Visual Studio, IntelliJ, or PyCharm. An Azure function is intended to be short-lived and will typically only run for a few seconds or minutes. Users simply create the Function App, configure the environment and run the job. The Azure Cloud Platform handles everything else and lets you set quotas to keep on top of your billing.

Azure serverless functions present a browser-based interface to the user and support most popular programming languages, including C#, Java, Python, PHP, Bash, PowerShell, and many more.

Azure Functions cleverly integrates directly with cloud-native 3rd party apps such as Twillo, Facebook, and Twitter, and directly with core Azure services such as Azure compute, database, and storage services. This gives the user the power to automate tasks and trigger multiple jobs directly from the function output.

Azure Functions executes on a Serverless Computing environment, under-the-hood Microsoft provides an extensive and highly available cloud infrastructure to run the Function App. The Serverless environment spans a vast global platform in multiple global regions. Security is very important in unattended Serverless workloads, and the code you are running must be secured for serverless workloads. Always remember that it is the customer’s responsibility to secure cloud assets.

How Azure Functions work

Azure Functions is all about event-driven actions automatically invoked by a trigger. Triggers are extremely important to Azure Functions as they can be initiated by a wide range of source triggers. Triggers originate from many different sources such as data sources, logs, and events, and it’s critical to have security in place to isolate the environment to approved sources only.

For example, consider an HTTP request (HTTPTrigger): it should only be authenticated if from an authorized source such as an ERP endpoint or a specific web page URL. Triggers can be scheduled on a personalized schedule as part of a cron job, or at a predefined time using a TimeTrigger. 

Events are popular triggers and can be invoked from various sources such as Azure Storage queues, Azure Event Grid, and EventHubs. Triggers also work from message queues; this could be anything from online website orders to intelligent responses to marketing emails.

Functions typically follow very simple repeatable processes. When the code is executed, Azure Functions create an output binding that executes the next task in the workflow which, in turn, may execute another task. The output binding used depends on the type of Azure Function being used, but the most common outputs are webhooks, alerts, and logging.

Azure Functions Features

The serverless nature of Azure Functions introduces several key features that integrate seamlessly with fundamental Azure services, these include:

  • Automated Event Response: The ability to create an automated response to an event is game-changing for productivity. Webhooks that can trigger alerts for critical notifications or drive an intelligent response.
  • Trigger-based executions: Trigger-based executions save a huge amount of manpower and speed up innovation. You may no longer need Administrators to respond to frequent events and tasks manually.
  • Platform Agnostic: Azure Functions is cloud and platform agnostic, meaning that you can trigger events to another service in another cloud, and it can run on practically any platform including containers.
  • Support for all the major programming languages: Functions provide your developers with an entire toolset for creating, debugging, and deploying code, and all the popular programming languages including C#, Java, Python, and PowerShell – keeping your DevOps team happy.
  • Integration with Azure Services: Azure Functions natively integrate with a large proportion of Azure Services including Azure Blob Storage, Azure Cosmos DB, and Azure Virtual Machines.
  • Integration with 3rd Party Apps: It is common to find Azure Functions integrated to automatically log alert notifications, cell phone notifications, and push data to tools like Slack and Twillo. 

The Benefits Of Azure Functions

Azure Functions is widely adopted in small, medium, and large businesses, and here’s why:

  • Speed: Functions are fast and typically take only a few seconds to initialize, and usually finish executing within a few minutes depending on what the task is. 
  • Simplicity: There is no need to spin up a server to test your code as the serverless architecture does this for you. 
  • CI/CD friendly: Azure Functions work well in a CI/CD environment and can be programmed to build code automatically on demand. Jenkins integrates well allowing you to trigger container builds, deploy code, build AMI, Kubernetes clusters, and so on. 

Testing: Triggers can be configured to run tests against each stage of the build, build any associated Azure infrastructure and deploy the Functions App.

How To Secure Azure Functions

Securing Azure Functions is incredibly important because an incorrectly configured Function App can do a lot of damage. It’s also likely that the number of Function Apps deployed across your Azure accounts will grow significantly, making them difficult to manage. Check Point has partnered with Microsoft to provide the Check Point CloudGuard Network Security suite that can dynamically secure, monitor, and interact with Azure Functions.

The Check Point Cloudguard Workload protection plugin will interact directly with an Azure Function App. The plugin has some incredible features and all you have to do is enable the plugin when deploying the Function App. During the deployment process, Cloudguard Workload will run a proact process that performs an initial risk assessment checking for security risks such as hardcoded credentials, function formatting, white spaces, etc.

Next, the runtime protection module is loaded into the function – the Function-Self-Protection (FSP) tool is how Check Point Cloudguard interacts with the Function by creating an abstraction layer. With the FSP you can protect inputs using a workload firewall that scans for malicious payloads, detects anomalous behavior, and creates an allowlist to whitelist expected deviations in the Function behavior. 

Everything about your Functions is available on the Cloudguard console, a single pane of glass that gives you a holistic view of everything you need to know about your Azure Function App. Diagrams show what services the Function touches and runtime protection will scan all workloads and alert against potential risks, such as overly permissive rules, security vulnerabilities, and unexpected behaviors. The console even provides the user with a suggested mediation page explaining how to fix any issues using code.

AWS Lambda Security With Check Point

For anyone who uses Amazon Web Services, you will be glad to know that the Cloud Workload Protection Platform (CWPP) also works with AWS Lambda (Amazon’s equivalent to Azure Functions). The protections offered are identical, giving customers improved visibility and security controls over Functions operating across data centers, AWS, Azure Stack, Hybrid clouds, and secure virtual networks.

AWS Lambda and Azure Functions are growing in popularity, which is why you don’t want to take any risks with the security of Function Apps. Combine the security controls built into the AWS and Azure console with Check Point Cloudguard to get the very best security abstraction layer. Protect the code and intelligently monitor all serverless activity.

Want to know more about securing an Azure Function or AWS Lambda? Schedule a demo to see CloudGuard’s impressive granular security features in action, protecting workloads from the second you deploy to the cloud.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK