When mainstream cloud computing first began to appear on the horizon, (Amazon launched its Elastic Compute Cloud product in 2006.) many organizations were initially hesitant to entrust their most valuable data and processes to a technological innovation named after something that appears so delicate. Oh, how times have changed. Today, an estimated 96% of organizations use cloud computing, with over 80% operating multi-cloud landscapes thanks to a range of benefits that include efficiency, scalability, flexibility, mobility, disaster recovery and security. As organizations continue to transition more of their computing infrastructure to cloud environments, the decision on what provider to use commonly comes down to the Big Three — Amazon Web Services vs. Microsoft’s Azure vs. Google Cloud Platform. And one of the top concerns when choosing a cloud computing provider is, yes, security. At one level, the “clouds” are a metaphor for heavily fortified data centers that feature maximum-security-prison levels of physical protection including:
- Dual authentication systems
- Vehicle-access barriers
- High-resolution cameras
- Laser beam intrusion detection systems
- Biometric iris scanners
- Electronic access cards
So the physical facilities themselves are incredibly secure. The question is: How do Amazon (AWS), Azure and Google (GCP) stack up when it comes to virtual cloud security?
A Closer Look at Cloud Security
Despite some early hesitancy on the part of leading technology-dependent organizations to move to the cloud, the cloud computing market is booming. According to 2018 Q4 numbers from industry analyst Canalys.com, the market share leaders are:
- Amazon Web Services — 32.3% market share worth $7.3 billion
- Microsoft Azure — 16.5% market share worth $3.7 billion
- Google Cloud — 9.5% market share worth $2.2 billion
When it comes to cloud security, there are three critical aspects to consider, according to Haresh Kumbhani, founder and CEO of Zymr, a San Francisco-based cloud consulting and agile software development services company:
- Physical security, such as protecting physical assets at a geographic location.
- Infrastructure security, such as ensuring that security patches are updated as soon as possible, ports are scanned for abnormal behavior, etc.
- Data and access security, such as encrypting data, controlling user privileges, etc.
However, the cloud providers have little control over the third aspect, data and access security. Instead, application-level security is typically the users’ responsibility. “Around 80% of breaches occur because this third part is not very well secured,” said Kumbhani. To alleviate this risk, he recommends that clients encrypt their data and databases, ensure that user privileges are correct, and deploy features such as cybersecurity scanners that monitor for threat scenarios. The fact that cloud users bear considerable responsibility for the security component is known as the Shared Responsibility Model. A Tripwire article (“The Cloud’s Shared Responsibility Model Explained”) distinguishes between “Security of the Cloud” (the cloud service provider’s responsibility) and “Security in the Cloud” (the user’s responsibility). Within this scenario, “It is incumbent on the customer to ensure that they continue to meet their security, governance, and compliance requirements. The CSP may be able to protect against brute-force login attempts, for example, but it’s the customer’s responsibility to ensure that employees use unique and secure passwords across all cloud services to minimize the risk of an account compromise.”
AWS vs. Azure vs. Google Cloud: One Security Expert’s Comparison
Rich Mogull, founder/VP of product at DisruptOps and analyst/CEO at Securosis, offers a security insider’s analysis of the three major providers from a cloud security perspective in “The Security Pro’s Quick Cloud Comparison: AWS, Azure or GCP?” Amazon Web Services “AWS is the oldest and most mature major cloud provider. This is both good and bad, because some of their enterprise-level options were basically kludged together from underlying services weren’t architected for the scope of modern cloud deployments. … “The biggest advantage of AWS is that, as the dominant provider, there is a lot of knowledge and tooling out there. It’s easier to get answers, find help, and find supported tools. This is on top of the platform’s overall maturity and scope. AWS also does a reasonably good job of defaulting to secure configurations. For example when you deploy an instance onto a VPC (virtual network), network access is decently restricted. … “Most core security features are available — from robust API activity monitoring to basic threat intel (Guard Duty), WAF, DLP (Macie), Vulnerability Assessment (Inspector), and security event triggers for automations. … Two of the best AWS security features are their excellent implementation of security groups (firewalls) and granular IAM.” Mogull observes that AWS’ focus on “isolation” for added security “makes enterprise scale management more difficult than it needs to be” and affects users’ ability to manage IAM at scale. “Despite those limitations,” he concludes, “today AWS is usually the best place to start, where you run into the fewest security issues. Microsoft Azure “Azure can be maddening at times due to a lack of consistency and poor documentation. Many services also default to less secure configurations. For example, if you create a new virtual network and a new virtual machine on it, all ports and protocols are open. AWS and GCP always start with a default deny, but Azure starts with default allow. Azure does have some advantages, which can be significant to enterprises. Azure Active Directory is the single source of truth for authorization and permissions management. Unlike AWS — where you need to configure federation, users, and access for each account — Azure allows it all to be managed from a single directory. This is both good and bad — management is easier and more consistent, but environments (subscriptions) are less isolated and protected from each other. … Azure has two other central features which are particularly appealing to enterprise users:
- Activity logs cover console and API activity for the entire tenant (organization) by default, across regions. …
- The Azure Security Center also covers the entire tenant (with the right licensing) and can be scoped to allow subscription-level access so local teams can manage their own alerts. This is what [AWS’] Security Hub is building up to become. But the ASC can be maddening due to its lack of transparency and assessment limitations. The key is to understand what it does well, what it does okay (e.g., some threat scans are only daily), and what it does poorly (compliance assessments have weird gaps).
Azure also has real consistency, availability, and documentation problems. … You can be secure on Azure but you need to be very careful, move slowly, and test everything.” Google Cloud Platform GCP is very young in some ways but very old in others. It’s built on Google’s impressive long-term engineering and global operations, which are insanely impressive. Like Azure, GCP is better centralized, because many capabilities were planned out from the start — compared to AWS features which were only added a few years ago. Within your account Projects are isolated from each other except where you connect services. Overall GCP isn’t as mature as AWS, but some services — notably container management and AI — are class leaders. The easiest way to think about GCP security is on a continuum somewhere between AWS and Azure. It offers organization-wide logging but coverage isn’t complete. It has more granular IAM which can be easier to manage centrally, but some aspects of custom policies are still in beta. This is all just a matter of maturity. GCP also generally defaults to secure configurations but doesn’t always have the same range of security features as AWS. GCP does include some impressive built-in security tools. The Cloud Security Command Center is their version of the Azure Security Center or the AWS Security Hub. Stackdriver Logging works great, and Google offers the open source Forseti for managing security configurations. A downside is the very small number of security experts with deep GCP experience, and the less robust community and tooling. Again, this is to be expected of a younger service — this kind of knowledge expansion takes time.
Cloud Security: Amazon Web Services vs. Microsoft’s Azure vs. Google
Though they are obviously biased, it is also revealing to examine how each organization talks about its own cloud computing security: WHAT AMAZON WEB SERVICES SAYS: Cloud computing is the on-demand delivery of computing power, database, storage, applications, and other IT resources via the internet with pay-as-you-go pricing. On cloud security: Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Security in the cloud is much like security in your on-premises data centers — only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and out of your cloud resources. The AWS Cloud enables a shared responsibility model. While AWS manages the security of the cloud, you are responsible for security in the cloud. This means that you retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center. You get access to hundreds of tools and features to help you to meet your security objectives. AWS provides security-specific tools and features across network security, configuration management, access control, and data encryption. WHAT MICROSOFT AZURE SAYS: Simply put, cloud computing is the delivery of computing services — including servers, storage, databases, networking, software, analytics, and intelligence — over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale. On cloud security: $1B+ investment in security R&D and 3,500 cybersecurity experts Security is foundational for Azure. Take advantage of multi-layered security provided across physical data centers, infrastructure, and operations with cybersecurity experts' actively monitoring to protect your business assets and data. 6.5 trillion threat signals analyzed daily Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with AI-driven security signals that modernize your security operations. WHAT GOOGLE CLOUD SAYS: Traditionally organizations have looked to the public cloud for cost savings or to augment private data center capacity. However, organizations are now primarily looking to the public cloud for security, realizing that providers can invest more in people and processes to deliver secure infrastructure. On cloud security: As a cloud pioneer, Google fully understands the security implications of the cloud model. Our cloud services are designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Google runs on the same infrastructure that we make available to our customers, your organization can directly benefit from these protections. That's why we focus on security and protection of data is among our primary design criteria. Security drives our organizational structure, training priorities and hiring processes. It shapes our data centers and the technology they house. It's central to our everyday operations and disaster planning, including how we address threats. It's prioritized in the way we handle customer data. And it's the cornerstone of our account controls, our compliance audits and the certifications we offer our customers. In recent cloud security news, Google Cloud has been ramping up its efforts to gain market share from its two chief competitors, with moves that include the November 2018 hiring of Thomas Kurian, a former top executive at Oracle, as its new CEO. Regarding his focus on security, Kurian announced in June 2019 that Chronicle, Alphabet’s enterprise security company, is joining Google Cloud. “At Google Cloud, our customers’ need to securely store data and defend against threats — either in the cloud or on-premise — is a top priority,” he said. “We approach security holistically, from the chip to the datacenter, with a continuously growing set of security capabilities that work in concert to deliver defense-in-depth at scale: from hardware infrastructure, service deployment and user identity, to storage, internet communication and security operations.”
The Bottom Line
Despite the best efforts of the leading cloud service providers to offer optimal security, all organizations that use cloud computing must be vigilant in doing their due diligence under the Shared Responsibility Model. Ongoing responsibilities include carefully managing access control, monitoring your cloud environment for security threats, conducting regular penetration tests and thoroughly training your employees on your cloud security best practices.
About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.