Azure Functions is an automated developer tool hosted in Microsoft Azure. It is a fully managed on-demand service that requires no additional skills and training to use the service – you simply deploy the function and execute your job. Functions use serverless tasks that automatically respond to an incident; triggers such as a change in a data stream or data from a message queue can spawn an intelligent response from Azure.
It’s important to ensure that any Azure public resources are well protected, especially when running Function Apps. And due to the nature of the Function App, having robust security is critically important, especially if the Function App is pushing or pulling data to and from local resources.
In this article, we will discover what an Azure Function is and how it works, and why enforcing cloud-native security is critical for Function Apps to mitigate risk and improve your business’s cloud security posture.
Azure Functions presents developers with a cloud platform to write and natively execute code. Code is processed near-instantly using the Azure Serverless Functions compute offering. There is no need to worry about infrastructure hosting with Azure Functions, and there is no requirement to have your own server to test code. Best of all, you are only charged when the code is running.
Azure Functions can be created directly in the Azure Portal or integrated into your favorite development tools such as Visual Studio, IntelliJ, or PyCharm. An Azure function is intended to be short-lived and will typically only run for a few seconds or minutes. Users simply create the Function App, configure the environment and run the job. The Azure Cloud Platform handles everything else and lets you set quotas to keep on top of your billing.
Azure serverless functions present a browser-based interface to the user and support most popular programming languages, including C#, Java, Python, PHP, Bash, PowerShell, and many more.
Azure Functions cleverly integrates directly with cloud-native 3rd party apps such as Twillo, Facebook, and Twitter, and directly with core Azure services such as Azure compute, database, and storage services. This gives the user the power to automate tasks and trigger multiple jobs directly from the function output.
Azure Functions executes on a Serverless Computing environment, under-the-hood Microsoft provides an extensive and highly available cloud infrastructure to run the Function App. The Serverless environment spans a vast global platform in multiple global regions. Security is very important in unattended Serverless workloads, and the code you are running must be secured for serverless workloads. Always remember that it is the customer’s responsibility to secure cloud assets.
Azure Functions is all about event-driven actions automatically invoked by a trigger. Triggers are extremely important to Azure Functions as they can be initiated by a wide range of source triggers. Triggers originate from many different sources such as data sources, logs, and events, and it’s critical to have security in place to isolate the environment to approved sources only.
For example, consider an HTTP request (HTTPTrigger): it should only be authenticated if from an authorized source such as an ERP endpoint or a specific web page URL. Triggers can be scheduled on a personalized schedule as part of a cron job, or at a predefined time using a TimeTrigger.
Events are popular triggers and can be invoked from various sources such as Azure Storage queues, Azure Event Grid, and EventHubs. Triggers also work from message queues; this could be anything from online website orders to intelligent responses to marketing emails.
Functions typically follow very simple repeatable processes. When the code is executed, Azure Functions create an output binding that executes the next task in the workflow which, in turn, may execute another task. The output binding used depends on the type of Azure Function being used, but the most common outputs are webhooks, alerts, and logging.
The serverless nature of Azure Functions introduces several key features that integrate seamlessly with fundamental Azure services, these include:
Azure Functions is widely adopted in small, medium, and large businesses, and here’s why:
Testing: Triggers can be configured to run tests against each stage of the build, build any associated Azure infrastructure and deploy the Functions App.
Securing Azure Functions is incredibly important because an incorrectly configured Function App can do a lot of damage. It’s also likely that the number of Function Apps deployed across your Azure accounts will grow significantly, making them difficult to manage. Check Point has partnered with Microsoft to provide the Check Point CloudGuard Network Security suite that can dynamically secure, monitor, and interact with Azure Functions.
The Check Point Cloudguard Workload protection plugin will interact directly with an Azure Function App. The plugin has some incredible features and all you have to do is enable the plugin when deploying the Function App. During the deployment process, Cloudguard Workload will run a proact process that performs an initial risk assessment checking for security risks such as hardcoded credentials, function formatting, white spaces, etc.
Next, the runtime protection module is loaded into the function – the Function-Self-Protection (FSP) tool is how Check Point Cloudguard interacts with the Function by creating an abstraction layer. With the FSP you can protect inputs using a workload firewall that scans for malicious payloads, detects anomalous behavior, and creates an allowlist to whitelist expected deviations in the Function behavior.
Everything about your Functions is available on the Cloudguard console, a single pane of glass that gives you a holistic view of everything you need to know about your Azure Function App. Diagrams show what services the Function touches and runtime protection will scan all workloads and alert against potential risks, such as overly permissive rules, security vulnerabilities, and unexpected behaviors. The console even provides the user with a suggested mediation page explaining how to fix any issues using code.
For anyone who uses Amazon Web Services, you will be glad to know that the Cloud Workload Protection Platform (CWPP) also works with AWS Lambda (Amazon’s equivalent to Azure Functions). The protections offered are identical, giving customers improved visibility and security controls over Functions operating across data centers, AWS, Azure Stack, Hybrid clouds, and secure virtual networks.
AWS Lambda and Azure Functions are growing in popularity, which is why you don’t want to take any risks with the security of Function Apps. Combine the security controls built into the AWS and Azure console with Check Point Cloudguard to get the very best security abstraction layer. Protect the code and intelligently monitor all serverless activity.
Want to know more about securing an Azure Function or AWS Lambda? Schedule a demo to see CloudGuard’s impressive granular security features in action, protecting workloads from the second you deploy to the cloud.