What is cloud security?
Cloud security is actually a combination of security controls and settings, and not just a single setting or checkbox.
There is often confusion around cloud security, and that’s because organizations don’t always know what they are responsible for. What’s even worse is that some organizations think that the cloud platforms are responsible for anything security-related — and that’s a big problem because it’s definitely not the case.
Enter the first stop on our tour of all things security in the cloud: the shared responsibility model.
What is the Shared Responsibility Model?
In order to better understand who is responsible for security in the cloud, we need to reference something called the shared responsibility model.
The shared responsibility model is a framework that helps differentiate when the cloud provider is accountable for security and when your organization is accountable for security, based on what is deployed in the cloud.
Now, let’s take a look at the three cloud platforms’ way of handling the shared responsibility model. In general, all three cloud providers follow the same principles for shared responsibility; they just have slightly different approaches.
Azure’s shared responsibility model
The first, the customer is always responsible. This is relevant to information data and devices such as mobile and PCs, as well as user accounts, which are also called identities.
The second category is less black and white and more of a gray area, as this differs based on the cloud model used, such as software as a service, or SaaS, platform as a service, or PaaS, or infrastructure as a service, or IaaS.
Lastly, we have the category called cloud provider responsibility. This is when the cloud provider is solely responsible for security, whether the service is SaaS, PaaS, or IaaS. An example of this would be the physical infrastructure in the data centers hosting these services.
AWS shared responsibility model
For the AWS Shared Responsibility Model, AWS takes a more simplistic approach.
Customers are responsible for security in the cloud — meaning their own data, user accounts, applications, and so forth. While AWS is responsible for the security of the cloud — including underlying hardware within the data centers such as physical hosts, storage, and networking.
Google Cloud’s shared responsibility model
Google’s approach to the shared responsibility model is a bit more complex as they specify in detail, in each instance, who is responsible for security. It’s called the Shared Responsibility Matrix.
Identity and Access Management (IAM)
As we saw under the different shared responsibility models, organizations are responsible for user accounts. This forms part of what is called identity and access management, or IAM for short. IAM is a term used for defining user access with a privileged role, also known as role-based access control.
We’ll do a quick overview of IAM here, but for a deeper dive check out our separate post comparing AWS, Azure, and Google Cloud IAM services.
There are some shared user and IAM features across all three platforms, including multi-factor authentication (MFA), single sign-on (SSO), built-in role-based access control (RBAC), and custom role-based access control.
One key difference, though, across the platforms is privileged access management (PAM), which is used to manage privileged accounts for users or resources deployed based on IaaS, PaaS, or SaaS.
Azure offers a service called Privileged Identity Management, which includes just-in-time privilege access to Azure AD and Azure Resources.
AWS and GCP don’t have a built-in feature to address PAM. However, you are able to deploy a third-party solution to address this via the Marketplace.
Let’s compare some of the IAAS workload security solutions each platform offers.
Distributed denial of service protection
Azure calls their offering (unsurprisingly) DDOS Protection.
AWS has Shield.
GCP has Google Cloud Armor.
• Azure has a service called Key Vault, which is used to store secrets like passwords and keys, and it also supports storing of certificates.
• AWS calls their offering Secrets Manager; it is used for storing secrets only, although it also provides a mechanism for storing certificates.
• GCP Secrets Manager works the same as the other platforms and provides the functionality to store passwords and certificates.
Virtual private networking
AWS VPN supports point-to-site and site-to-site options with a site-to-site connection limit of 10 connections for a VPN gateway.
Azure VPN gateway supports point-to-site and site-to-site VPNs with a limitation of a maximum of 30 site-to-site connections per VPN gateway.
Google Cloud VPN only supports site-to-site VPN connections and does not currently support point-to-site connections.
Data security (PaaS)
Next, let’s have a look at how the platforms approach platform as a service or PaaS security. Let’s focus on securing data as this hosts important organizational or customer information, which is one of the main goals for hackers.
All three cloud platforms support the following security controls from a database point of view.
Identity and access management policies, or IAM policies
Firewall rules, which includes IP whitelisting. This is where organizations can expose databases through the internet, but only allow the organization public IP address to connect to it.
Encryption in transit, or TLS, specifies if the database supports secure connections to it, encryption address by means of hard drive-level encryption.
Built-in security and compliance (SaaS)
Most organizations have to comply with a set of security standards, and the same rules apply for cloud workloads. Let’s take a moment to understand how the cloud platforms help organizations meet cloud security compliance.
• Azure has the Azure Security Center.
• GCP has the Trust and Security Center.
• AWS calls their security assessment service Amazon Inspector.
Compliance tools on all three cloud platforms support the most compliance standards such as ISO 27001, PCI, DSS, and many more. These tools have the capability to audit the resources deployed and advise on security best practices to ensure your environment is secure and you have not missed anything major from a security or configuration point of view.