Other recent blogs
Keeping a strong eye on cloud security is vital to long-term success and business growth.
According to research by one leading IT security firm, 80% of organizations store sensitive data in the cloud, whilst 53% experienced a cyberattack on their cloud infrastructure within the last 12 months.
Given how commonplace cyberattacks are and how costly they can be, security features should be a key consideration when choosing your cloud service provider. You should understand your own security responsibilities in this area.
Below, we outline what your security obligations are in the cloud and look at the pros and cons of the three market leaders, Amazon Web Services (AWS_, Microsoft Azure and Google Cloud Platform (GCP).
Cloud security: your obligations vs your cloud provider’s
Outsourcing to a cloud provider does not allow you to outsource all of your security obligations. Whilst cloud providers are responsible for some security aspects, you retain responsibility for others.
This is known as the ‘shared responsibility model’. Whilst cloud providers need to secure their physical assets and the product itself, they still need to meet key security, governance, and compliance requirements.
Here’s a top-level guide to how this works.
In other words, your cloud provider is responsible for maintaining the security of the cloud. You are responsible for maintaining security in the cloud as you use it.
For example, your provider should be able to protect you against a brute-force login attempt, but responsibility for minimizing threats caused by user error or malice lies with you.
Amazon Web Services, Microsoft Azure and Google Cloud Platform: how different are they, really?
The three market-leading cloud service providers – AWS, Microsoft Azure and GCP – currently control 62% of the market, growing at a combined 42% in Q1 2022. This isn’t surprising, given the COVID-accelerated digitization of the past two years and the corresponding focus on security concerns.
Whilst each provider has its individual strengths, all three offer a robust set of security features to help keep your organization and its valuable data safe. Regardless of which provider you opt for, expect strong performance in the following areas:
- Firewall: a virtual barrier that monitors traffic into and out of your network, blocking suspicious activity
- Encryption in transit: encryption to protect your data whilst it moves between your site and the cloud provider or between services
- Compliance management: certification for major compliance standards and features to help users remain compliant with data regulations like the GDPR
- IaaS DDoS protection: features designed to repel DDoS attacks, such as detector software and increasable bandwidth to deal with traffic surges. AWS calls their offering ‘DDOS Protection’, Azure’s is ‘Shield’, and GCP’s is ‘Google Cloud Armor’
- Physical security: measures taken to keep the cloud provider’s physical servers safe, such as security personnel and alarm systems
Amazon Web Services
The oldest and most established of the three market leaders, Amazon Web Services is the most popular choice as a cloud service provider. With extensive documentation and default secure configurations, it’s easy to see why.
What’s their shared responsibility model?
AWS’ approach is simple and easy to follow, following the ‘security in/of the cloud’ distinction almost exactly. AWS takes care of hardware, storage, networking and databases, whilst their customers implement their own practices for data security, user access and third-party applications.
What does AWS do well?
- As the most mature cloud provider, AWS has a few major advantages:
1. Documentation is clear, transparent and easy to find.
2. Tooling is more extensive, with the largest marketplace for third-party add-ons.
3. Talent – you’ll find more IT security professionals with AWS experience than Azure or GCP.
4. AWS’ partner network is extensive and mature.
- AWS defaults to secure configurations in key areas, so your security is enhanced out of the box. For example, when you deploy an instance onto a VPC, access is automatically restricted.
- AWS’ auditing tool CloudTrail helps manage compliance, improve security posture, and consolidate activity records across Regions and accounts.
- It’s more to manage, but AWS’ granular identity access management features work by configuring federation, users, and access for each account separately. Environments are more isolated, so are more protected against security breaches elsewhere in the organization.
Anything to watch out for?
- AWS’ approach to user access management (and general reliance on isolation as a security tool) means enterprise-level management requires a greater commitment of resources.
- Microsoft Azure has a moderately stronger VPN offering. Whilst both support point-to-site and site-to-site options, AWS’ site-to-site connection limit is 10, and Azure’s is 30.
Microsoft Azure is the second most established cloud service provider after AWS. Its centralized approach can be a great fit for some organizations, but a less defined shared responsibility model and some consistency issues can be frustrating.
Shared responsibility model
Whilst similar to AWS, there’s an added ‘gray area’ where responsibilities depend on the cloud model deployed. This encompasses infrastructure and directory infrastructure, applications, network controls and operating systems.
What does Azure do well?
- If you take a centralized approach to identity and access management (IAM) Azure’s Active Directory will fit your working practices. This allows you to manage authorization and permissions from a single console, making management easier and less prone to human error.
- Azure’s activity logs cover console and API activity for the entire organization (across regions) by default, whilst local teams can manage their own alerts via Azure Security Centre.
- Azure offers inbuilt privileged access management for just-in-time access to Azure AD and Azure Resources. AWS and GCP rely on third-party add-ons to do this.
- Azure has the strongest VPN features – both point-to-site and site-to-site connections are supported, with a generous site-to-site connection limit of 30.
Anything to watch out for?
- Azure has a reputation for inconsistency and poor documentation, so it's advisable to tread carefully and test extensively.
- Changes made through the console can take time to reflect in the wider environment.
- A less defined shared responsibility model with more gray areas than its immediate competitors offers the potential for misunderstanding and misinterpretation.
- An inconsistent approach to some security processes can expose vulnerabilities – for example, a new virtual machine added to a newly created virtual network is automatically granted access to all ports and protocols (AWS and GCP start with a default deny).
- Azure’s centralized approach to IAM is easier to manage, but at the same time, environments are less isolated and, therefore, less protected from each other.
Google Cloud Platform
Newcomer Google Cloud Platform (GCP) packs a punch when it comes to features and functionality. On the other hand, documentation, add-ons and access to talent are limited by the relative youth of Google as a cloud service provider.
Shared responsibility model
GCP’s shared responsibility model is a detailed matrix specifying exactly which security tasks customers are responsible for across IaaS, PaaS and SaaS. You know exactly what your responsibilities are and can take action to meet them.
What does GCP do well?
- Whilst a relative newcomer, GCP offers many promising features based on a wealth of engineering and global operations expertise elsewhere. In particular, container management and AI features stand out as market-leading.
- GCP offers a centralized approach to security management that’s easy to manage and scale. Whilst projects are isolated from each other by default, you have the option to connect them if it works best for you.
- Like AWS, Google does a good job at defaulting to secure configurations and maintains a consistent approach throughout its cloud offerings.
Anything to watch out for?
- As the youngest of the three major cloud providers, documentation isn’t as extensive. You may also have trouble finding IT security professionals with experience of GCP.
- Google’s VPN features are the weakest of the three – currently, only site-to-site VPN connections are supported, with no point-to-site connection support.
- There are fewer third-party add-ons for GCP as the marketplace isn’t as developed, and fewer inbuilt security features overall.
A few final thoughts
There is a lot of information to digest when it comes to cloud provider security. Use this table as a quick reference guide.
To a large extent, your choice of cloud provider depends on your specific needs. For example,
- GCP is a strong choice if future-facing AI features are a must-have
- Azure works well if you have a strong preference for centralized IAM features
- AWS offers a well-rounded, mature product that offers ultimate reliability
If you need some assistance weighing up the best options for your cloud migration, why not get in touch? Our experts work across a range of projects and will be happy to lend their expertise.