The move from on premises to cloud infrastructure is happening at a rapid pace. Many organizations require the cloud to power application development and to support workloads that traditional data centers can no longer manage. In fact, Gartner expects cloud infrastructure as a service (IaaS) to be a $74 billion industry by 2022.
For many companies, transitioning to cloud is not something that can wait any longer.
How secure is the cloud?
This new wave should raise questions about security. We constantly hear about data breaches and the financial losses that are the result of them. When you go from a model of handling every part of security in-house to allowing a third-party to manage your infrastructure off site, this suspicion is justified.
Security should, then, be a top priority when evaluating vendors. The purpose of this piece is to discuss the security practices of the three largest cloud vendors, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. We've already covered some of the differences in cloud providers, but we think a security analysis stands alone.
Major security factors
Security experts typically list the following three factors as the most important things to consider when evaluating cloud vendors:
- Physical security - Protecting data centers.
- Technical/infrastructure security - Monitoring network traffic, and patching vulnerabilities.
- Data and access controls - Controlling who has access to data; encryption.
The first two factors are completely in the control of the vendor. All three companies are known to have tight physical security protocols for their hundreds of global locations (you read about AWS’ policies here, Azure’s here, and GCP’s here).
On the other hand, data and access controls is mostly the responsibility of the customer, with some assistance from the vendor. We’ll get into the idea of shared responsibility later in this piece, but first let’s look at how each vendor tackles the second factor.
Note, we’re using each vendor’s content and documentation as our sources. Each obviously has some bias, but we think it’s useful to compare the features that each vendor thinks is most important.
AWS has the advantage of being the most mature cloud provider, and with that comes documentation, knowledge, and trained experts. In its security whitepaper, AWS list the following as its capabilities for infrastructure security:
- Network firewalls at layers 3, 4, and 7 built into Amazon Virtual Private Cloud (VPC) that allows customers to access individual instances and applications.
- Denial-of-service attacks (DoS) mitigation.
- Default encryption of all traffic between AWS facilities.
While it doesn’t have the same tenure as AWS as cloud provider, Azure is a draw to many organizations that already have a relationship with Microsoft. Azure’s security documentation is extensive, but the following is what Microsoft highlights as the critical components of cloud platform security:
- Security development lifecycle (SDL) - A set of practices that “help developers build more secure software by reducing the number and severity of vulnerabilities in software, while reducing development cost.”
- Intrusion and DoS detection.
- Network access control
Google emphasizes in its marketing collateral that it runs its applications on the same cloud infrastructure that it sells to its customers, implying that customers also get the same quality of security as Google itself. While the same may be able to be said about AWS and Azure, we thought it was interesting that this is one of Google’s main value propositions.
We’ll note that one concern some security leaders have with GCP is its newness and the lack of experts trained on the platform as compared with AWS and Azure.
GCP’s infrastructure security whitepaper goes into detail describing the layers of security starting with hardware and ending with operational security. Some of the components include:
- Custom hardware and software in data centers and a strict hardware disposal policy.
- Global IP network that minimizes the number of hops across the public internet.
- Security monitoring that is focused on internal network traffic.
Shared responsibility model
Now let’s discuss the third component of cloud security: data access and controls. This may actually be the most critical part of cloud security. According to Gartner, more than 95 percent of cloud data breaches can be faulted to the customer, not the cloud vendor. This makes sense when you consider the root causes of many data breaches in the most recent years. How many times have you heard about a leak blamed on a misconfigured AWS S3 bucket? The 2019 Capital One breach that exposed more than 100 million customer and card applicant records was traced to an incorrect firewall implementation on AWS.
Within the security documentation for each vendor, all delineate factors that are ultimately the responsibility of the customer. These include the security components that are most vulnerable to attacks including data encryption, identity and access management (IAM), and firewall and router configuration. The three vendors refer to this delineation as the shared responsibility model. AWS defines it succinctly: The vendor is “responsible for the security OF the cloud. The customer is responsible for security IN the cloud.”
The good news is, the three major cloud vendors are all on similar footing when it comes to physical security and infrastructure security with strong offerings. After all, these are all large corporations that use these services themselves so you would expect them to be of the highest quality.
The bad news is, your choice becomes more difficult.
Since the most significant security factor, data access and controls, falls on you, the customer, how do you find the most appropriate cloud vendor while also keeping the shared responsibility model in mind? After all, you don't want to get locked into the wrong vendor.
A few bullet points can help you narrow it down. Basically, consider how easily you can work with any particular platform:
- Is documentation easy to find and understand? This is not to say that any cloud provider is easier or harder to work with, but members of your team may have more familiarity with one over the others.
- Does one or the other align with other technology at your organization? (Data lakes or data warehousing options you prefer, for example.)
- Does the availability of security consultants trained on the platforms differ?
- What is the overall cost for your use case and data needs?
Ultimately, the most secure cloud platform vendor is one that allows you to allocate resources to carefully manage your sensitive data.