AWS, Azure, and Google Cloud are currently the three well-deserved global cloud computing giants. Each cloud platform provides customers with different security tools and security functions to protect their cloud assets. Public cloud security is built on the concept of shared responsibility: Large cloud service providers deliver secure hyperscale environments, but it is the customer’s responsibility to protect everything that is pushed to the cloud. For enterprises, this separation of security responsibilities is troublesome enough with a single cloud provider, but it’s even more complicated with a multi-cloud environment.
How Amazon AWS, Microsoft Azure and Google Cloud differ in the way they provide a secure and resilient cloud platform. Which provider offers the best native tools to protect cloud assets? How do you convince experts that all hyperscale service providers are good at securing their cloud platforms? After all, delivering a secure environment is at the heart of their business model Heavy. Unlike budget-constrained businesses, cloud service providers seem to have unlimited resources. Cloud service providers have technical expertise, and, as Doug Cahill, senior analyst at the Enterprise Strategy Group (ESG), puts it, “given that they operate globally, with countless availability zones, points of presence, and Seeing a myriad of malicious activity, you can build your own strong defenses at this level of visibility.”
While the Big Three tend to keep their internal processes and procedures secret, the Big Three have done an excellent job of securing the physical security of their data centers, defending against insider attacks, and securing the virtual layer that underpins the operation of applications and development platforms.
All three expose more services through APIs and try to reduce the confusion or friction associated with the shared responsibility model. “Each of these platforms provides a calling interface,” Mogull said. “The problem for enterprises is figuring out where the exact lines of code are and deploying security broadly across multiple cloud platforms.”
However, there are some differences between the Big Three, which are related to their relative market shares. AWS has the largest market share at 31%. Azure is trying to catch up and is currently in second place with a 20% market share. According to the 2020 cloud service revenue analysis report released by the analysis company Canalys, the new entrant Google has a market share of 7%, ranking third with a large gap.
Amazon Web Services (AWS)
AWS is the oldest and most established cloud service provider. “As the dominant provider, AWS’s greatest strength is the wealth of knowledge and tools at its disposal, making it relatively easy to get answers, find help and support tools,” Mogull said. “It’s all built on the platform’s overall maturity and scale. superior.”
Amazon’s shared-responsibility security model states that the company is responsible for the security of the underlying cloud infrastructure, while subscribers are responsible for securing workloads deployed on the cloud. Specifically, the client is responsible for:
- Protect customer data
- Protect platforms, applications and operating systems
- Implementing Identity and Access Management (IAM)
- Configure the firewall
- Encrypt client-side data, server-side file system, and network traffic
AWS provides customers with a number of services available:
- API Activity Monitoring Basic Threat Intelligence
- Web Application Firewall (WAF)
- Data leakage prevention
- Vulnerability Assessment
- Security Event Triggers for Automation
AWS also does a good job of default security configuration.
Mogull adds, “The two best things about AWS security features are their particularly good implementation of security groups (firewall) and fine-grained IAM.” However, AWS security is based on isolating services, and there is no way between services unless explicitly authorized. mutual access. This works well from a security standpoint, but at the cost of making it harder to manage enterprise-wide, and more difficult to manage IAM at scale. “Despite these limitations, AWS is often the cloud platform of choice, and most security issues can be avoided by using AWS.”
Microsoft Azure
Microsoft Azure employs a similar shared responsibility model. For example, in an infrastructure-as-a-service (IaaS) scenario, customers are responsible for data classification and auditing, client and endpoint protection, identity and access management, application-level and network-level controls. Mogull said that Azure is only slightly less mature than AWS, especially in terms of consistency, documentation, and the default configuration of many services is really not secure enough.
However, Azure also has some advantages. Azure Active Directory connects to enterprise Active Directory to provide a single source of truth for authorization and rights management, meaning that all transactions can be managed from a single directory. The trade-off is that management is easier and more consistent, but environments are less isolated and protected from each other than with AWS. Another trade-off: Azure’s identity and access management is layered from the start, easier to manage than AWS, but more granular in AWS.
For enterprise users, Azure has two other important features: By default, the activity log covers console and API activity in various regions across the enterprise. Additionally, the Azure Security Center management console is enterprise-wide and can be configured so that local teams can manage their own alerts.
Google Cloud
Google Cloud is built on Google’s impressive long-term engineering and global operations. Solid built-in security tools from Google include:
- Cloud data leakage prevention
- key management
- Asset list
- encryption
- firewall
- Shielded VMs
Google Security Command Center provides centralized visibility and control, enabling customers to discover misconfigurations and vulnerabilities, monitor compliance and detect threats. Through the acquisition of Stackdriver (now expanded and renamed Google Cloud Operations), Google has introduced a best-in-class monitoring and log analysis product. Google also provides identity and access controls through its BeyondCorp Enterprise zero-trust platform.
However, Google’s 7% market share is a problem because there are fewer security experts with deep Google Cloud experience, the community is less robust, and the number of tools available is less. But Google Cloud provides strong centralized management and default security configuration, which are important considerations. In general, Google Cloud is not as mature as AWS, nor does it have the same breadth of security features.
Internal training and skills are key
Hyperscale service providers provide enterprises with best practices, guidance, native controls, tools, visibility into traffic logs, and even alert them to misconfigurations, but “subscribing users who want to protect all their assets in the cloud need to Responsibility for adhering to best practices, responding to alerts and implementing appropriate controls must be undertaken.”
This means an ongoing responsibility for enterprises to carefully manage access controls, monitor cloud environment security threats, perform regular penetration testing, and in-depth training of enterprise employees on cloud security best practices.
It’s important to build in-house expertise on each public cloud. Three big mistakes businesses make when implementing cloud security are:
(1) A belief that cloud security is similar to current security practices in one’s own data center or private cloud. But in reality, every platform is fundamentally different. On the surface, it looks like everything is done, but it’s not the same when you look deeper. Businesses must develop a deep understanding of the technology platforms they use to continue their success in the cloud. Without the corresponding technology and cognition, there is no chance of success.
(2) Migrate to a multi-cloud environment before you are ready. If a company wants to move to three clouds, it must first develop appropriate in-house expertise for all three cloud environments. It is best not to move to the cloud too fast, and to accumulate enough expertise on one cloud before jumping to the next cloud.
(3) No focus on governance. Most data breaches related to cloud environments involve lost or stolen credentials and ultimately boil down to governance failures.
Cahill agrees. There is a certain level of abstraction in outsourcing a data center to a third party. You actually get the service by interacting with the API. Among the main types of mistakes enterprises make are misconfiguring cloud services, misconfiguring object storage (opening S3 buckets), and leaving credentials or API keys in public repositories. And cloud consoles are often protected by weak passwords rather than multi-factor authentication.
To protect enterprise data in the cloud, here are some suggestions:
- Proficient in the Cloud Security Shared Responsibility Model; understand what the principles are.
- Emphasis on strengthening cloud configuration.
- Enables least-privilege access to human and non-human cloud identities.
- Automate to keep security up to speed with DevOps; automate security integration across the application lifecycle.
- Ensure security implementations are repeatable across teams. Large enterprises have multiple project teams, each implementing its own security controls.
- Take a top-down approach to unify security policies across all project teams.