The cloud platforms of Amazon, Microsoft and Google offer different security tools and features. overview. […]
Security in the public cloud is based on the concept of shared responsibility: the largest cloud service providers provide a secure, scalable environment, but it is the customer’s responsibility to protect the data they put in the cloud. This division of responsibilities can be a challenge for companies moving to the cloud, which is even more potent in the case of a multi-cloud environment.
For CISOs, the main challenge is to compare the offerings of the three major hyperscaler Amazon Web Services (AWS), Microsoft and Google and to work out the differences. This regularly revolves around the question: Which provider offers the best native tools for protecting cloud resources?
When it comes to protecting the cloud itself, all hyperscalers do a good job, according to experts, because providing a secure cloud environment is at the core of their business model. The cloud providers seem to have unlimited resources. “Because of their global presence, they observe a variety of malicious activities on a daily basis. This enables hyperscalers to strengthen their defenses based on this information,“ said Doug Cahill, senior analyst at Enterprise Strategy Group (ESG).
While the hyperscalers keep their internal processes and procedures under wraps, Richard Mogull, CEO of Securosis, believes they do an excellent job of physically protecting their data centers, securing the virtualization layer on which applications and development platforms run, and fending off intruders. “Nevertheless, each of these platforms also has a catch. The challenge is to implement security across multiple clouds,“ says Mogull.
AWS is the oldest and most mature among cloud hyperscalers. “The biggest advantage of AWS is that it has a lot of knowledge and tools. This makes it much easier to find and use support and tools. Added to this is the scale of the platform,“ says Mogull.
Amazon’s shared Responsibility security model states that the company is responsible for the security of the underlying cloud infrastructure and the customer is responsible for securing the workloads deployed in the cloud. Specifically, this results in the following responsibilities for AWS customers:
- Protection of customer data
- Securing platforms, applications and operating systems
- Implementation of Identity and Access Management (IAM)
- Configuration of firewalls
- Encryption of client-side data, server-side file systems and network traffic
AWS provides a wide range of services to its customers and also does a good job when it comes to standard configurations:
- Monitoring API activity
- Basic Threat Information
- Web Application Firewalls (WAFs)
- Protection against data leaks
- Risk assessment
- Security Event Triggers for Automation
“Two of AWS’s best security features are the implementation of firewalls and granular IAM,” says Mogull. The security of AWS is based on the isolation of the individual services (unless access is explicitly released). This works well from a security perspective, but has the disadvantage that it makes administration at the company level more difficult. “Despite these limitations, Amazon Web Services is usually the best starting point for the cloud, as you can expect few security issues there,” says the CEO.
Microsoft Azure is based on a similar shared responsibility model to AWS. For example, in an IaaS scenario, the customer is responsible for:
- Data classification,
- Client and Endpoint Protection,
- Identity and access management, and
- Application and network level controls.
According to Mogull, Azure lags behind AWS in terms of maturity, especially in terms of consistency and documentation. Add to this the fact that many services have less secure configurations by default.
However, Azure also has some advantages: Azure Active Directory can be linked to the company’s Active Directory to provide a “single source of truth” for access management. “With Azure, management is simpler and more consistent compared to AWS, but the environments are far less isolated and thus less protected. Azure’s identity and access management is inherently very hierarchical and easier to manage than AWS, but Amazon Web Services offers more settings, ” says Mogull“
Azure comes with two other features that are important for enterprise users: Activity logs cover console and API activities for the entire enterprise by default. The same applies to the management console of the Azure Security Center. This can be set up so that local teams can manage their own alerts.
Google Cloud provides solid onboard security tools, such as:
- Protection against data loss in the cloud
- Key management
- Asset Inventory
- Protected Virtual Machines
The Google Security Command Center provides centralized control for customers. This enables misconfigurations, vulnerabilities and threats to be detected and compliance policies to be monitored. Through the acquisition of Stackdriver-now renamed Google Cloud Operations-Google is able to offer first-class monitoring and log analysis. In addition, identity and access controls are also available through the BeyondCorp Enterprise Zero Trust platform.
“However, Google’s comparatively low market share of seven percent is a problem because there are fewer security professionals with deep Google cloud experience. This translates into a less robust community and a smaller number of tools,“ says Mogull. Although the Google Cloud offers strong centralization and secure preconfigurations, overall the offer is less mature than that of Amazon Web Services and offers a lower range of security features, according to the expert.
No matter which hyperscaler you choose, the associated security responsibilities cannot be circumvented. Building in-house expertise is important in any public cloud, Mogull said. There are three critical mistakes companies make when implementing cloud security:
- Cloud security is not the same as in your data center or private cloud. Every platform is different. On the surface, things look familiar, under the hood it looks different. Companies need to build a deep understanding of the technology platform to succeed in the cloud.
- Move to a multi-cloud world before the company is ready. If a company wants to enter three clouds, it needs to build the internal expertise for all three environments. The better way: Shift down a gear, and first build expertise in a cloud environment before jumping to the next.
- Lack of focus on governance. Most breaches in the cloud are related to lost or stolen login data.
According to ESG analyst Cahill, cloud consoles are all too often equipped with weak passwords. In many cases, protection by multifactor authentication is dispensed with. The expert gives the following recommendations on how to protect corporate data in the cloud:
- Familiarize yourself with the shared responsibility model for cloud security and understand where the limits are.
- Focus on secure cloud configurations.
- Implement least privilege access for all cloud identities.
- Use automation to help security keep up with DevOps. In the end, security should be integrated automatically over the entire life cycle of the applications.
- Ensure that security implementations can be repeated across teams. Especially large companies have many project teams that implement their own security control mechanisms.
- Adopt a top-down approach to ensure consistent security policies across all project teams.
This post is based on an article from our US sister publication CSO Online.
* Neal Weinberg writes as a freelance writer for our US sister publication Network World, among others.