Growlithe: A Developer-Centric Compliance Tool for Serverless Applications

Abstract

Serverless applications consist of functions written in heterogeneous programming languages, use diverse data stores and communication services, and evolve rapidly. Consequently, it is challenging for serverless tenants to protect their application data from inadvertent leaks due to bugs, misconfigurations, and human errors. Cloud security tools, such as Identity and Access Management (IAM), lack observability into a tenant’s application, whereas the state-of-the-art dataflow tracking tools require support from the cloud platform and incur significant runtime overheads. We present Growlithe, a tool that integrates with the serverless application development toolchain and enables continuous compliance with data policies by design. Growlithe allows declarative specification of access and data flow control policies over a language- and platformindependent dataflow graph abstraction of a serverless application, and enforces these policies through a combination of static analysis and runtime enforcement. We used Growlithe with applications using Python and JavaScript functions that can be hosted on AWS Lambda and Google Cloud Functions platforms. We empirically demonstrate that Growlithe is crosscutting, portable and efficient, and enables developers to easily adapt their application and policies to evolving requirements.