Serverless computing has revolutionized cloud application deployment by abstracting the underlying infrastructure management, allowing developers to focus solely on writing code. AWS Lambda [1], Azure Functions [2], and Google Cloud Functions [3] are leading platforms in this domain, offering a variety of features and integrations that cater to diverse application requirements. The allure of serverless computing lies in its ability to automatically scale, handle complex workflows, and reduce operational overhead, making it an attractive choice for modern applications. However, as these platforms gain popularity, the importance of understanding their security and compliance capabilities becomes paramount [4].
In a traditional server-based environment, developers and system administrators are responsible for securing the operating system, network, and application layers. With serverless computing, these responsibilities shift to the cloud service provider, introducing a shared responsibility model [5]. This model necessitates a comprehensive understanding of the security measures [6] implemented by the cloud providers and, the best practices developers must follow to ensure robust security. The shift in responsibility underscores the need for a detailed examination of how each platform addresses security concerns, including data encryption, access control, and compliance with regulatory standards. This understanding is crucial because serverless functions often handle sensitive data and perform critical operations, making them attractive targets for malicious actors [6].
To provide a structured and objective comparison, this research employs the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) [7] as a benchmarking framework. The CSA CCM is a comprehensive set of security controls tailored to cloud computing, offering a robust standard for assessing the security posture of cloud services. Using the CSA CCM [8], this study examines key security aspects, including authentication and authorization mechanisms, data encryption practices, vulnerability management, compliance certifications, and logging and monitoring capabilities across AWS Lambda, Azure Functions, and Google Cloud Functions. This approach ensures a thorough and consistent evaluation, highlighting the strengths and weaknesses of each platform and providing valuable insights for organizations considering serverless architectures. Understanding the security and compliance landscape of these platforms is essential for making informed decisions and maintaining high security standards in serverless applications. [9]
A. AWS Lambda
AWS Lambda is the serverless computing service provided by Amazon Web Services (AWS). It allows developers to run code without provisioning or managing servers, automatically scaling applications in response to incoming requests [10].
B. Azure Functions
Azure Functions is Microsoft Azure serverless computing service, enabling developers to execute code in response to various events without worrying about the underlying infrastructure, thus facilitating easy integration with other Azure services.
C. Google Cloud Functions
Google Cloud Functions is Google Cloud Platform (GCP) serverless execution environment, allowing developers to create event-driven functions that automatically scale based on demand, integrating seamlessly with other GCP services.