With the barrage of security breaches in the news, there is a strong focus on securing resources in the cloud. In this post, we’ll explore security offerings from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.
Your keys to a better career
Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.
What is cloud security?
Cloud security is actually a combination of security controls and settings, and not just a single setting or checkbox.
There is often confusion around cloud security, and that’s because organizations don’t always know what they are responsible for. What’s even worse is that some organizations think that the cloud platforms are responsible for anything security-related — and that’s a big problem because it’s definitely not the case.
Enter the first stop on our tour of all things security in the cloud: the shared responsibility model.
What is the Shared Responsibility Model?
In order to better understand who is responsible for security in the cloud, we need to reference something called the shared responsibility model.
The shared responsibility model is a framework that helps differentiate when the cloud provider is accountable for security and when your organization is accountable for security, based on what is deployed in the cloud.
Now, let’s take a look at the three cloud platforms’ way of handling the shared responsibility model. In general, all three cloud providers follow the same principles for shared responsibility; they just have slightly different approaches.
Azure’s shared responsibility model
Azure’s shared responsibility model splits responsibility into three main categories.
- The first, the customer is always responsible. This is relevant to information data and devices such as mobile and PCs, as well as user accounts, which are also called identities.
- The second category is less black and white and more of a gray area, as this differs based on the cloud model used, such as software as a service, or SaaS, platform as a service, or PaaS, or infrastructure as a service, or IaaS.
- Lastly, we have the category called cloud provider responsibility. This is when the cloud provider is solely responsible for security, whether the service is SaaS, PaaS, or IaaS. An example of this would be the physical infrastructure in the data centers hosting these services.
AWS shared responsibility model
For the AWS Shared Responsibility Model, AWS takes a more simplistic approach.
Customers are responsible for security in the cloud — meaning their own data, user accounts, applications, and so forth. While AWS is responsible for the security of the cloud — including underlying hardware within the data centers such as physical hosts, storage, and networking.
Google Cloud’s shared responsibility model
Google’s approach to the shared responsibility model is a bit more complex as they specify in detail, in each instance, who is responsible for security. It’s called the Shared Responsibility Matrix.
Identity and Access Management (IAM)
As we saw under the different shared responsibility models, organizations are responsible for user accounts. This forms part of what is called identity and access management, or IAM for short. IAM is a term used for defining user access with a privileged role, also known as role-based access control.
We’ll do a quick overview of IAM here, but for a deeper dive check out our separate post comparing AWS, Azure, and Google Cloud IAM services.
There are some shared user and IAM features across all three platforms, including multi-factor authentication (MFA), single sign-on (SSO), built-in role-based access control (RBAC), and custom role-based access control.
One key difference, though, across the platforms is privileged access management (PAM), which is used to manage privileged accounts for users or resources deployed based on IaaS, PaaS, or SaaS.
- Azure offers a service called Privileged Identity Management, which includes just-in-time privilege access to Azure AD and Azure Resources.
- AWS and GCP don’t have a built-in feature to address PAM. However, you are able to deploy a third-party solution to address this via the Marketplace.
IAM feeling like a PITA? Check out Fixing 5 Common AWS IAM Errors for a look into the cause and resolution for some of the most common AWS IAM errors.
Let’s compare some of the IAAS workload security solutions each platform offers.
Distributed denial of service protection
- Azure calls their offering (unsurprisingly) DDOS Protection.
- AWS has Shield.
- GCP has Google Cloud Armor.
- Azure has a service called Key Vault, which is used to store secrets like passwords and keys, and it also supports storing of certificates.
- AWS calls their offering Secrets Manager; it is used for storing secrets only, although it also provides a mechanism for storing certificates.
- GCP Secrets Manager works the same as the other platforms and provides the functionality to store passwords and certificates.
Virtual private networking
- AWS VPN supports point-to-site and site-to-site options with a site-to-site connection limit of 10 connections for a VPN gateway.
- Azure VPN gateway supports point-to-site and site-to-site VPNs with a limitation of a maximum of 30 site-to-site connections per VPN gateway.
- Google Cloud VPN only supports site-to-site VPN connections and does not currently support point-to-site connections.
Data security (PaaS)
Next, let’s have a look at how the platforms approach platform as a service or PaaS security. Let’s focus on securing data as this hosts important organizational or customer information, which is one of the main goals for hackers.
All three cloud platforms support the following security controls from a database point of view.
- Identity and access management policies, or IAM policies
- Firewall rules, which includes IP whitelisting. This is where organizations can expose databases through the internet, but only allow the organization public IP address to connect to it.
- Encryption in transit, or TLS, specifies if the database supports secure connections to it, encryption address by means of hard drive-level encryption.
Get the Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top concepts that trip people up. Grab this cloud guide for succinct definitions of some of the most painful terms in cloud.
Built-in security and compliance (SaaS)
Most organizations have to comply with a set of security standards, and the same rules apply for cloud workloads. Let’s take a moment to understand how the cloud platforms help organizations meet cloud security compliance.
- Azure has the Azure Security Center.
- GCP has the Trust and Security Center.
- AWS calls their security assessment service Amazon Inspector.
Compliance tools on all three cloud platforms support the most compliance standards such as ISO 27001, PCI, DSS, and many more. These tools have the capability to audit the resources deployed and advise on security best practices to ensure your environment is secure and you have not missed anything major from a security or configuration point of view.
Marketplace support for cloud security
Lastly, it’s worth mentioning that each cloud platform offers a marketplace where customers can make use of third-party vendor applications to meet specific security requirements. AWS and Azure are leading the way on this, with GCP trying to catch up.
At the end of the day, when you choose a cloud provider, there are multiple security decisions to make alongside other considerations such as pricing, hybrid identities, and skills to support your solutions.
If you want to learn more about cloud security, check out our security-related learning paths, including Azure Security and AWS Security. These learning paths will guide from novice to guru with a hands-on learning approach.
Thanks for reading, and keep being awesome, cloud gurus!
Securing Your AWS Environment
In this free, on-demand webinar, get a breakdown of taking complex AWS environments from zero to secure.