Cloud Provider Comparisons

Cloud Provider Comparisons: AWS vs Azure vs GCP – Security

Episode description

In Cloud Provider Comparisons, we take a look at the same cloud services across the three major public cloud providers – Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). In this episode we put the focus on security. Often, there’s confusion surrounding cloud security because organizations don’t always know what they’re responsible for. In addition, with security breaches happening around the world, knowing how to secure your resources in the cloud has become a key focus area. Join Riaan Lowe in this episode to learn about the shared responsibility models across AWS, Azure, and GCP, as well as Identity and Access Management (IAM), Platform-as-a-Service (PaaS) data security options, and built-in security and compliance.

Links to everything covered in this episode are provided below.

0:00 Introduction
0:42 An introduction to cloud security
1:29 Shared responsibility models for Azure, AWS, and GCP
3:39 Identity and Access Management (IAM)
5:02 IaaS Security (DDoS protection, secrets management, virtual private networking)
6:33 Data security (PaaS – IAM policies, firewall rules/IP whitelisting, TLS, TDE)
7:31 Built-in security and compliance
8:26 Marketplace support for cloud security

Series description

In Cloud Provider Comparisons, we explore and compare the same cloud service across the three major public cloud providers - Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

- Hello, Cloud Gurus. Riaan Lowe here, and welcome to Cloud Provider Comparisons. In this series we take a look at the same cloud services across different cloud providers. We'll look at the similarities, the differences, and anything else that might be interesting. So, we all have heard the term cloud computing and hosting resources in the cloud, but recently, with all of the security breaches happening around the world, there is a strong focus on securing resources in the cloud.

In this episode, we'll explore security offerings from AWS, Azure and Google Cloud.

- So, cloud security is actually a combination of security controls and settings, and not just a single setting or checkbox. There is often confusion around cloud security and that's because organizations don't always know what they are responsible for. What's even worse, is that some organizations think that the cloud platforms are responsible for anything security related and that's a big problem because it's definitely not the case. In order to better understand who is responsible for security in the cloud, we need to reference something called the shared responsibility model.

- So in a nutshell, the shared responsibility model is a framework that helps differentiate when the cloud provider is accountable for security and when your organization is accountable for security, based on what is deployed in the cloud. Now, let's take a look at the three cloud platforms approach to the shared responsibility model. Let's start with Azure. Azure splits responsibility into three main categories. The first, the customer is always responsible.

This is relevant to information, data and devices such as mobile and PCs, as well as user accounts, which is also called identities. The second category is less black and white and more of a gray area, as this differs based on the cloud model used, such as software as a service, or SaaS, platform as a service, or PaaS, or infrastructure as a service, or IaaS. Lastly, we have the category called cloud provider responsibility. This is when the cloud provider is solely responsible for security, whether the service is SaaS, PaaS or IaaS. An example of this would be the physical infrastructure in the data centers hosting these services.

AWS has taken a more simplistic approach to the shared responsibility model and split it into two sections. The first, customers are responsible for security in the cloud. Users are responsible for their own data, user accounts, applications and so forth. AWS is responsible for security of the cloud and this includes underlying hardware within the data centers such as physical hosts, storage and networking. Google's approach to the shared responsibility model is a bit more complex as they specify in detail, in each instance, who is responsible for security.

We'll be sure to leave a link in the description if you want to take a look. But in general, all three cloud providers follow the same principles for shared responsibility, they just have slightly different approaches.

- As we just saw under the different shared responsibility models, organizations are responsible for user accounts. This forms part of what is called identity and access management, or IAM for short. IAM is a term used for defining user access with a privileged role, also known as role-based access control. Let's take a look at what options are available across Google Cloud Platform, AWS and Azure. There are some shared user and IAM features found across all three platforms, including multifactor authentication, also known as MFA, single sign-on, also known as SSO, built-in role-based access control, also known as RBAC, and custom role-based access control.

One key difference though, across the platforms, is privileged access management, or PAM, which is used to manage privileged accounts for users or resources deployed based on IaaS, PaaS or SaaS. Azure offers a service called Privileged Identity Management, which includes just-in-time privilege access to Azure AD and Azure Resources. AWS and GCP don't have a built-in feature to address PAM, however, you are able to deploy a third-party solution to address this via the Marketplace.

- Let's go ahead and compare some of the IAAS workload security solutions each platform offers. In terms of distributed denial of service protection, Azure calls their offering, unsurprisingly, DDOS Protection. AWS has Shield and GCP has Google Cloud Armor. In terms of features they all, in principle, do a similar thing. When it comes to secrets management, Azure has a service called Key Vault which is used to store secrets like passwords and keys, and it also supports storing of certificates.

AWS calls their offering Secrets Manager, it is used for storing secrets only, although it also provides a mechanism for storing certificates. GCP Secrets Manager works the same as the other platforms and provides the functionality to store passwords and certificates. For virtual private networking, AWS VPN supports point-to-site and site-to-site options with a site-to-site connection limit of 10 connections for a VPN gateway. Azure VPN gateway supports point-to-site and site-to-site VPNs with a limitation of a maximum of 30 site-to-site connections per VPN gateway. Google Cloud VPN only supports site-to-site VPN connections and does not currently support point-to-site connections.

- Next up, let's have a look at how the platforms approach platform as a service, or PaaS, security. Let's focus on securing data as this hosts important organizational or customer information, which is one of the main goals for hackers. All three cloud platforms support the following security controls from a database point of view. Identity and access management policies, or IAM policies, firewall rules which includes IP whitelisting, this is where organizations can expose databases through the internet, but only allow the organizations public IP address to connect to it, encryption in transit, or TLS, this specifies if the database supports secure connections to it, encryption at rest, or TDE, this specifies if the database supports encryption address by means of hard drive level encryption.

- Most organizations have to comply to a set of security standards and the same rules apply for cloud workloads. Let's take a moment to understand how the cloud platforms help organizations meet cloud security compliance. Azure has the Azure Security Center, GCP has the Trust and Security Center and AWS calls their security assessment service, Amazon Inspector. Compliance tools on all three cloud platforms support the most compliance standards such as ISO 27001, PCI, DSS and many more. These tools have the capability to audit the resources deployed and advice on security best practices to ensure your environment is secure and you have not missed anything major from a security or configuration point of view.

- Lastly, it's worth mentioning that each cloud platform offers a marketplace where customers can make use of third-party vendor applications to meet specific security requirements. AWS and Azure is leading the way on this with GCP trying to catch up. So at the end of the day, when you choose a cloud provider there are multiple security decisions to make alongside other considerations such as pricing, hybrid identities and skills to support your solutions. If you want to learn more, have a look at A Cloud Guru's courses in cloud security for a more in-depth breakdown and hands-on approach. Thanks for watching, stay safe and keep being awesome, Cloud Gurus.

More videos in this series

Master the Cloud with ACG

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?