Navigating Compliance in a Serverless World

It may be obvious that running a ‘serverless’ environment reduces your operational responsibilities.

But how does running a fully serverless environment (where applications run on managed compute services, databases, and object storage services) impact security and compliance? This article explains how the Shared Responsibility Model shifts when you go serverless.

Serverless – Security Relief

Utilizing managed services shifts the accountability for several key controls:

  • Server encryption – there are no servers to encrypt (and you can’t encrypt a Lambda, now can you)
  • Anti-virus Software – a favorite compliance Gotcha, anti-virus software is handled by the service provider
  • Asset Inventory – while you still have a responsibility to track all the different information assets that are storing or processing your data, now you can rule out ‘servers’ or even ‘VM’s’ from that inventory
  • Backups – You no longer need to worry about backing up a whole set of server configs, whereas in the past that might have been a core part of your availability plan; now it is handled by the service provider
  • Security Monitoring – it decreases the amount of log data you need to sort through

To name a few!

Serverless – Compliance Evolution

So how does compliance deal with this shift in security?

Of course, the need for these controls doesn’t just disappear.

So now, your responsibility shifts from performing all those controls to including those elements in your vendor due diligence. Now you just need to make sure that in your annual vendor security reviews, you are review all of these controls to be comfortable that the service providers you work with are performing them.

Each compliance framework has its own way of dealing with these controls. In the SOC 2 framework, for example, in addition to a control on vendor due diligence, the report would show the controls as Complementary Subservice Entity Controls (also known as “carve-outs”). This allows the relevant criteria to be fully supported, while properly assigning responsibility to a third party.

Embracing Change

So let’s avoid the temptation to say that Serverless changes nothing (it decreases your workload significantly) and to say that it makes Compliance Vanish (it’s still there, it just looks different), and let’s reap the advantages of this great service offering in a responsible way.


Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together