Security in the public cloud is based on the concept of shared responsibility: The largest cloud service providers deliver a secure, hyperscale environment, but it’s up to the customer to protect everything it puts into the cloud. This separation of duties can be tricky for enterprises when moving to a single cloud but becomes even more complicated in a multi-cloud environment.
The challenge for CISOs is determining how the Big 3 cloud services providers—Amazon AWS, Microsoft Azure, and Google Cloud—differ in the way they provide a secure and resilient cloud platform. Which provides the best native tools to help protect your cloud assets? How can you make
Experts agree that all the hyperscalers do an excellent job protecting the cloud itself. After all, delivering a safe, secure environment is core to their business model. Unlike budget-constrained enterprises, the cloud services providers seem to have unlimited resources. They have the technical expertise and, as Doug Cahill, senior analyst at Enterprise Strategy Group (ESG) points out, “Given their massive presence across the globe, all the availability zones, points of presence, dark fiber around the planet, they see an incredible volume of malicious activities every day, which puts them in a position to be able to fortify their defenses based on that level of visibility.”
While the Big 3 tend to keep their internal processes and procedures close to the vest, they all do an excellent job protecting the physical security of their data centers, defending against insider attacks, and securing the virtualization layer upon which applications and development platforms run, says Richard Mogull, analyst and CEO at Securosis.
Each of the Big 3 are exposing more services via APIs and trying to reduce any confusion or friction associated with the shared responsibility model. “The hooks are there in every one of these platforms,” says Mogull. The challenge for organizations is understanding where the line is and deploying security at scale across multiple clouds.
However, there are differences among the Big 3, according to Mogull, which roughly correspond to their relative market share. AWS is the largest with 31% market share. Azure, which has been working hard to catch up, is second at 20%. Latecomer Google is a distant third at 7%, according to an analysis of 2020 cloud services revenue conducted by the analyst firm Canalys.
AWS is the oldest and most mature of the cloud services providers. “The biggest advantage of AWS is that, as the dominant provider, there is a lot of knowledge and tooling out there. It’s easier to get answers, find help, and find supported tools. This is on top of the platform’s overall maturity and scope,” says Mogull.
Amazon’s shared security model states that the company is responsible for the security of the underlying cloud infrastructure, and the subscriber is responsible for securing workloads deployed in the cloud. Specifically, customers are responsible for:
AWS makes a wide range of services available to customers:
AWS also does a good job defaulting to secure configurations.
Mogull adds, “Two of the best AWS security features are their excellent implementation of security groups (firewalls) and granular IAM.” However, AWS security is based on isolating services from each other unless access is explicitly enabled. This works well from a security perspective, but the tradeoff is that it makes enterprise-scale management more difficult that it has to be and makes it more difficult to manage IAM at scale, says Mogull. “Despite those limitations, AWS is usually the best place to start, where you run into the fewest security issues.”
Microsoft Azure is based on a similar shared responsibility model. For example, in an infrastructure-as-a-service (IaaS) scenario, the customer is responsible for data classification and accountability, client and endpoint protection, identity and access management, application-level and network-level controls. Mogull says that Azure is just a bit “rougher around the edges in terms of maturity” than AWS, specifically in areas of consistency, documentation, and the fact that many services default to less secure configurations.
Azure does have some advantages. Azure Active Directory can be linked to enterprise Active Directory to provide a single source of truth for authorization and permissions management, which means everything can be managed from a single directory. The tradeoff is that management is easier and more consistent, but environments are less isolated and less protected from each other than with AWS. Another tradeoff: Azure’s identity and access management is very hierarchical out of the box and easier to manage than AWS, but AWS can get more granular, says Mogull.
Azure has two other features that are important for enterprise users: Activity logs cover console and API activity for the entire organization by default across regions. Also, the Azure Security Center management console covers the entire enterprise and can be set up so local teams can manage their own alerts.
Google Cloud is “built on Google’s long-term engineering and global operations, which are insanely impressive,” says Mogull. Google offers solid built-in security tools, including:
The Google Security Command Center provides centralized visibility and control, enables customers to discover misconfigurations and vulnerabilities, monitors compliance, and detects threats. Google offers topnotch monitoring and log analysis through its Stackdriver acquisition (now expanded and rebranded Google Cloud Operations). It also offers identity and access controls through its BeyondCorp Enterprise Zero Trust platform.
However, Google’s 7% market share is an issue because there are fewer security experts with deep Google Cloud experience, which translates into a less robust community and less tooling, says Mogull. He adds that Google Cloud offers strong centralization and defaults to secure settings, which are important considerations. Overall Google Cloud “isn’t as mature as AWS” and doesn’t have the same breadth of security features.
The hyperscalers provide enterprises with best practices, guidelines, native controls, tools, visibility into flow logs, and they can even alert an organization to the fact that there has been a misconfiguration, but “the subscriber is responsible to act on best practices, to respond to alerts, to employ appropriate controls to protect all assets you put in the cloud,” says Cahill.
This means you’ll have ongoing responsibilities, including “carefully managing access controls, monitoring your cloud environment for security threats, conducting regular penetration tests and thoroughly training your employees on cloud security best practices,” says Dr. Michelle Moore, academic director of the University of San Diego’s Master of Science in Cyber Security Operations and Leadership Program.
Mogull agrees building up internal expertise in each public cloud is important. He says there are three critical mistakes that enterprises make when implementing cloud security:
Cahill agrees. “You’re outsourcing your data center to a third party. There’s a level of abstraction. You’re interacting with APIs for services.” He adds that the biggest mistakes that organizations make are misconfiguring cloud services, misconfiguring objects stores (open S3 buckets) and leaving credentials or API keys in public repositories. Too often, cloud consoles are protected by weak passwords rather than multifactor authentication.
Cahill offers these recommendations to protect enterprise data in the cloud: