Zero Trust Security Framework for Serverless Web Applications
摘要
Serverless web applications are elastic and economically viable, yet challenging because of the transient runtime, broad event surface, and API first exposure. These characteristics make it necessary to have identity driven, request level security controls over perimeter-based security. In this essay, a productive-grade, adaptive, and highly secure architecture is proposed for serverless APIs, utilizing OAuth 2.0, short lived JSON Web Tokens (JWTs), and claims-based Role-Based Access Control (RBAC) validation that is adaptive and contextually aware. In this architecture, continuous verification is ensured through the validation of token signatures, lifetimes, and audiences, in addition to route level RBAC and rate limiting, and geolocation/IP reputation checks. Methods of enforcement include gateway focused validation, distributed token revocation, and lockout through telemetry, as well as reauthentication through anomaly detection, and mitigating serverless characteristics such as cold starts and latency budgets. Important outcomes include the fact that token validation at the level of each request, in addition to adaptive rate limiting and token refresh rotation, can substantially lower the threats of token replay and brute-force attacks without impacting the low latency performance that is expected in serverless environments.