Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog
Improve the quality of your STAR Level 1 self-assessment by submitting to Valid-AI-ted →

Download Publication

Home
Publications
How to Design a Secure Serverless Architecture 2021
How to Design a Secure Serverless Architecture 2021
Who it's for:
  • application developers  
  • security professionals  
  • CISOs  
  • system and security administrators  
  • information system security officers  

How to Design a Secure Serverless Architecture 2021

Release Date: 09/14/2021

Working Group: Serverless

This is an old version of the document. Check out the 2023 version here.

Like any solution, serverless computing brings with it a variety of cyber risks. This paper provides best practices and recommendations for securing serverless applications. It offers an extensive overview of the different threats, focusing on the application owner risks that serverless platforms are exposed to and suggesting the appropriate security controls.

The document assumes that the readers have some knowledge of coding practices, security and networking expertise, and application containers, microservices, functions, and agile application development.

Key Takeaways: 

  1. What is Serverless
  2. Advantages and benefits of serverless architecture
  3. Shared responsibility model for serverless
  4. Security design, controls and best practices
  5. Kubernetes security best practices 
  6. CI-CD pipelines, Function Code, Code scans and policy enforcement for Functions and Containers    
  7. Compliance and governance for serverless
Download this Resource

Prefer to access this resource without an account? Download it now.

Bookmark
Share
View translations
Related resources

Related Resources

PublicationsBlogs
Dynamic Process Landscape: A Strategic Guide to Successful AI Implementation
Dynamic Process Landscape: A Strategic Guide to...
Download Now
Shadow Access and AI
Shadow Access and AI
Download Now
Zero Trust Guidance for Small and Medium Size Businesses (SMBs) - Japanese Translation
Zero Trust Guidance for Small and Medium Size B...
Download Now
View all publications
Runtime Integrity Measurement Overview
Runtime Integrity Measurement Overview
Published: 06/13/2025
The AI Trust Imperative: Why the CSA AI Trustworthy Pledge Matters Now More Than Ever
The AI Trust Imperative: Why the CSA AI Trustworthy Pledge Matters ...
Published: 06/12/2025
LLMs Writing Code? Cool. LLMs Executing It? Dangerous.
LLMs Writing Code? Cool. LLMs Executing It? Dangerous.
Published: 06/03/2025
Roadmap to Agentic AI Implementation
Roadmap to Agentic AI Implementation
Published: 06/02/2025
View all blogs
View all webinars

Acknowledgements

Peter Campbell
Peter Campbell
Senior Director of Cloud Security, Cigna

Peter Campbell

Senior Director of Cloud Security, Cigna

Peter Campbell is Senior Director of Cloud Security at The Cigna Group—a Fortune 100 global health leader—where he architects and operationalizes security across cloud, network, and IoT environments (AWS, Azure, OCI, hybrid). Within the Cloud Security Alliance, he contributes to the Health Information Management Working Group and the CxO Trust Advisory Council, driving strategic policy-as-code governance frameworks and pi...

Read more

Ricardo Ferreira
Ricardo Ferreira
EMEA CISO

Ricardo Ferreira

EMEA CISO

Aradhna Chetal
Aradhna Chetal
Senior Director Executive- Cloud Security

Aradhna Chetal

Senior Director Executive- Cloud Security

Aradhna serves as a Senior Director Executive- Cloud Security at TIAA, a financial services company. She is responsible for the cloud security vision, strategy, standards, security patterns for a multi-cloud hybrid enterprise and engineer security solutions, to support the vision. Aradhna has worked in various Cybersecurity leadership roles at JP Morgan Chase, Boeing Company, Microsoft & T-Mobile.

Aradhna is an active member in the cy...

Read more

Vishwas Manral
Vishwas Manral
Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas Manral

Founder at Precize Inc & Fellow at Cloud Security Alliance

Vishwas is the Founder at Precize Inc, a stealth Cloud and AI security startup. Vishwas is also the co-chair of CSA’s Serverless Working Group and the Chair of Cloud Security Alliance in Silicon Valley. He was the head of Cloud Native security and Chief Technologist at McAfee Enterprise + FireEye. Vishwas joined McAfee Enterprise when his com...

Read more

Madhav Chablani Headshot Missing
Madhav Chablani
Consulting CIO, TippingEdge Consulting

Madhav Chablani

Consulting CIO, TippingEdge Consulting

Vani Murthy
Vani Murthy
Sr. Information Security Compliance Advisor, Akamai Technologies

Vani Murthy

Sr. Information Security Compliance Advisor, Akamai Technologies

Vani has 20+ years of IT experience in the areas such as Security, Risk, Compliance, Cloud services (IaaS/PaaS/SaaS) architecture

Read more

Marina Bregkou
Marina Bregkou
Principal Research Analyst, Associate VP

Marina Bregkou

Principal Research Analyst, Associate VP

Amit Bendor Headshot Missing
Amit Bendor

Amit Bendor

John Wrobel Headshot Missing
John Wrobel

John Wrobel

Shobhit Mehta
Shobhit Mehta

Shobhit Mehta

Shobhit Mehta is a distinguished professional with over 12 years of expertise in Governance, Risk, Compliance, and Privacy frameworks, with notable experience in the security and privacy domains. His illustrious career has seen him contribute significantly to organizations such as PayPal, HSBC, Deutsche Bank, Credit Suisse, and Fidelity Investments, where he played pivotal roles in ensuring the integrity and security of critical systems and...

Read more

John Kinsella Headshot Missing
John Kinsella

John Kinsella

Elisabeth Vasquez Headshot Missing
Elisabeth Vasquez

Elisabeth Vasquez

Brad Woodward Headshot Missing
Brad Woodward

Brad Woodward

David Hadas Headshot Missing
David Hadas

David Hadas

Akshay Mahajan
Akshay Mahajan
Senior Manager, Wayfair

Akshay Mahajan

Senior Manager, Wayfair

Anil Karmel
Anil Karmel
CEO, C2 Labs

Anil Karmel

CEO, C2 Labs

Anil Karmel is the Co-Founder and CEO of RegScale, which helps organizations start and stay compliant via the world's first real-time GRC platform. Formerly, Anil served as the National Nuclear Security Administration's (NNSA) Deputy Chief Technology Officer. Karmel began his government career as a Technical Staff Member of Los Alamos National Laboratory (LANL) and was responsible for inventing their cloud and collaboration technologies Kar...

Read more

Alex Rebo Headshot Missing
Alex Rebo
Enterprise Security Architect

Alex Rebo

Enterprise Security Architect

20+ year of Information Security / Assurance, Risk Management in private and public sectors.

CEA, PMP, CISSP, CCSP, ITIL, AWS CSA-A

Read more

Dr. Vrettos Moulos
Dr. Vrettos Moulos

Dr. Vrettos Moulos

Dr. Vrettos Moulos is a senior research software engineer in Institute of Communication and Computer Systems in Greece. He holds a PhD in secure microservice architecture patterns from the School of Electrical and Computer Engineering of the National Technical University of Athens (NTUA).

He has been a member, for more than 10 years, of software development teams creating mission critical applications (rule-based decision systems, sec...

Read more

Abhishek Vyas
Abhishek Vyas
Head of Security Consultancy and Architecture

Abhishek Vyas

Head of Security Consultancy and Architecture

I have been working in Cybersecurity for over 10 years, and have been working on large scale multi-cloud programs in the Software and Finance industries over that period. I deliver business value through robust, scalable, fit for business cybersecurity, by establishing new ways of working to help the business to innovate. Challenging the status quo to help remove inertia, and ensuring that cybersecurity remains relevant and mea...

Read more

Eric Matlock Headshot Missing
Eric Matlock

Eric Matlock

Raja Rajenderan Headshot Missing
Raja Rajenderan

Raja Rajenderan

Namrata Kulkarni
Namrata Kulkarni
Cyber Security Architect

Namrata Kulkarni

Cyber Security Architect

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Join this Working Group
View all Working Groups

Related Certificates & Training