Understanding Cloud Security Considerations for AWS, Azure, and GCP

Remotely-hosted, run, and managed applications and data, commonly referred to as Cloud Services, are generally assumed to be securely maintained and safe. However, despite being managed by leading tech companies, cloud services and the data stored in remote servers aren’t completely protected against all types of security threats.

In simple words, data stored in the cloud and apps hosted on remote servers cannot be considered absolutely secure, and hence, even the app creator, service provider, and data owner have equal responsibility for cloud data security.

Cloud Security considerations are as important as digital protection of data when stored and managed locally. It doesn’t matter if the data or applications are hosted by the top cloud service providers, be it Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP), there has to be a thorough audit as well as practices and protocols to mitigate threats and risks.

With over 70 percent of the world’s businesses actively relying on AWS, Azure, GCP or even some combination of the three, cloud security considerations are a critical component of data protection.

Must Watch: #AppknoxWebinar - Key to Effective Cloud Security in 2020

Cloud services offer multiple benefits such as significantly lowered costs, better flexibility, enhanced and quicker software update processes, and of course, the ability to access data and applications from anywhere. In other words, they are inevitable in today’s world.

While there are several advantages to using Cloud Services, the remotely hosted servers do pose new and unique security challenges that need to be scrutinized and addressed. Before we get into the cloud security considerations and responsibilities, let us first try and understand how the three most popular cloud service providers perceive and handle the subject.

Cloud Security: AWS VS AZURE VS GCP:

It is important to note that the majority of organizations with data and applications in the cloud aren’t heavily concerned about public cloud security. Companies often assume cloud service providers will have the relevant safeguards against the multitude of digital threats ranging from vulnerability to hijacked accounts, malicious insiders, full-scale data leaks, or breaches. While the service providers are constantly improving their security, it is important for companies seeking the services to be as vigilant and particular about Cloud Security Considerations.

The three major players, AWS, Microsoft Azure, and Google Cloud Platform are backed by the biggest names in Tech. Each of the services has a company that has been involved in the domain directly as well as indirectly for decades. Still, the cloud services platform is rather new as the companies have traditionally supported their own products and services. Hence, the approach to cloud data security is slightly different for each. While each of the company has a heavily fortified platform, let’s see how well AWS, Azure, and GCP perceive and handle cloud security.

How Does Amazon Web Services (AWS) Handle Cloud Security?

AWS is by the far the oldest, most mature, and consistently active player in the cloud services segment. The company’s products are readily recommended, and hence, a large number of top companies, including Netflix, Twitch, Facebook, and many more, rely heavily on AWS for reliable and consistent performance across the globe.

Being the oldest player offers several advantages to customers, both new and old. Essentially, there is a lot of knowledge and tooling out there to quickly find answers and discover tools that work perfectly without resorting to experimentation. With the minimal need for experimentation, AWS does a great job of defaulting to secure configurations.

Summarizing AWS’s approach to cloud security is rather simple. For AWS, isolation appears to be the number one security mantra as well as consideration. Customers, and more particularly the services they choose, can’t even access other services unless they themselves explicitly enable access. The core unit in AWS is an Account, and they are completely islanded from each other, unless, customers choose to open up inter-service access. Moreover, customers can easily separate production from development.

Some of the most common Cloud Security features, such as API activity monitoring, basic threat intel (Guard Duty), WAF, DLP (Macie), Vulnerability Assessment (Inspector), and security event triggers for automation, are available upfront. Meanwhile, AWS’s implementation of security groups (firewalls) and granular Identity and Access Management (IAM) are some of the best-known specialties of AWS.

How Does Microsoft Azure Handle Cloud Security?

Microsoft Azure appears to be all about ensuring the smoothest experience and shortest time to getting services up and running. While such a customer-friendly approach allows maximum compatibility and efficiency, it is a scary aspect from a cloud security perspective. Additionally, the service can be daunting to configure initially simply because there’s a noticeable lack of consistency or uniformity and limited documentation.

It is concerning to note that many services on Microsoft Azure tend to default to less secure configurations. A simple example is the creation of a new virtual network and a new virtual machine on the same. During this process, Azure intentionally leaves all ports and protocols open, and hence, easily accessible. Amazon and Google both start with ‘Deny’ as the default initiation point, but Azure seems to begin with ‘Allow’ as default.

Must Read: Introducing the Appknox Security Extension for Microsoft Azure

Developers oftentimes see some services deploy an endpoint onto a virtual network, but they don’t respect its network security groups. This gives the illusion of a secure cloud platform, but ports and/or destinations are exposed to the Internet.

Essentially, several developers have complained that Azure has real consistency, availability, and documentation problems. Interestingly, even a simple query gets multiple different answers from different Microsoft consultants or support representatives.

One of the most popular and favored aspects of Microsoft Azure is its Azure Active Directory, which is the singular platform for authorization and permissions management. Developers need to configure federation, users, and access for each account separately in AWS, but in Azure, the entire configuration can be managed from a single directory.

How Does Google Cloud Platform Handle Cloud Security?

Google is a highly mature company when it comes to cloud data and security. This is simply because the company was built from the ground up with the majority of ideas, concepts, policies, and protocols that are critical in cloud infrastructure. The other two companies have added features and facilities to build or construct a new cloud service company, while Google itself was well into the game from the beginning. An extensive long-term engineering and truly global operations from the very beginning have allowed the Google Cloud Platform to become a highly favored platform within a short span. Still, there are a few and minor limitations.

When it comes to cloud security, developers appreciate the centralized approach of GCP, which is similar to AWS. Google has much better management. Hence all account Projects, in the beginning, are isolated from each other except where developers connect services. Overall, Google truly shines in container management and AI.

One of the most impressive aspects of GCP when it comes to cloud security is built-in security tools. While AWS does have the Security Hub, and Microsoft has Azure Security Center, the GCP’s Cloud Security Command Center is truly impressive in terms of features, capabilities, monitoring, logging, and quick controls. Google offers Stackdriver Logging and open-source Forseti, which is a powerful and comprehensive platform for managing security configurations.

Perhaps the only downside of using the GCP is the relatively low number of cloud data security experts that have worked extensively on the platform. As an extension, there is a small but growing community, and still a rather low amount of tooling. However, as the GCP service is the youngest amongst the three, it is expected, and the situation should address itself in the near future.

Conclusion

AWS, Azure, and GCP have their own merits and are preferred by developers. These are established companies offering reliable services. However, their approach to cloud data security does vary. This puts the responsibility of securing data and services on the developers.

Under such circumstances, it is important to understand which are the critical security considerations, and how cloud security should be approached. There are several free and open-source tools that developers can readily access and deploy to enhance security, integrity, and protection of remotely stored data and services. We will look at these aspects, and a few more like PSD2 compliance in cloud security, in the next article.

 

Published on Jul 2, 2020
Sarapremashish Butola
Security Researcher at Appknox

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now