CISOs trying to determine which of the three major cloud service providers (CSPs) offers the best security need to break that question down into two parts: Which one does the best job securing its own infrastructure, and which one does the best job helping you to secure your data and applications?
Security in the public cloud is based on the shared responsibility model, the notion that it’s possible to create a hard line that separates the role of the cloud service provider (securing the platform) with the role of the customer (protecting its assets in the cloud). Sounds good in theory, but in practice the shared responsibility model can be tricky when CISOs are dealing with one cloud vendor, but exponentially more difficult in a multi-cloud world.
As veteran security expert Andy Ellis puts it, “It seems really clear and simple—and like all clear and simple analogies, it doesn’t hold up to inspection.” He points out that it’s difficult for organizations to parse out the interconnections between the cloud platform and the applications running on top of it. “The reality is that how a customer configures a cloud service is critical to the safety of the applications. The list of ways that a customer can end up shot in the foot is remarkably large.”
However, that solid wall separating the CSP’s responsibility and the customer’s role is beginning to crumble. To differentiate themselves, cloud service vendors are recognizing the shortcomings in the shared responsibility model and are trying to develop more of a partnership relationship with customers, says Melinda Marks, senior analyst at Enterprise Strategy Group (ESG).
So, how can a CISO determine how the Big 3 cloud service providers—Amazon AWS, Microsoft Azure, and Google Cloud— differ in the way that they address those issues and provide a secure and resilient cloud platform?
Before drilling down into the specifics for each vendor, here are three basic starting points from Richard Mogull, analyst and CEO at Securosis.
- While the Big 3 tend to keep their internal processes and procedures close to the vest, they all do an excellent job protecting the physical security of their data centers, defending against insider attacks, and securing the virtualization layer upon which applications and development platforms run.
- The cloud is essentially a new kind of data center and each CSP is fundamentally different at the technical level. “There is no quick fix. The actual implementation details are going to be different across each of those providers.” The best thing organizations can do is make the investment to train employees so they gain expertise in how to operate in these cloud environments.
- Beyond the specific nuts and bolts of each vendor’s platform, Mogull argues that market share correlates with having the broadest set of third-party tools, the deepest knowledgebase, and the largest community. AWS has 33% market share, Azure is second at 21%, and Google is a distant third at 8%, according to an analysis of first quarter 2022 cloud services revenue conducted by the analyst firm Canalys.
Google Cloud: Swapping shared responsibility for shared fate
Google has made the biggest splash when it comes to redefining the shared responsibility model. In fact, Google has coined a new term, which it calls “shared fate.”
According to Google CISO Phil Venables, “The shared responsibility model created ‘uncertainty’ as to who handles certain aspects of threat detection, configuration best practices, and alerts for security violations and anomalous activities.” Shared fate represents “the next evolutionary step to create closer partnership between cloud service providers and their customers so that everyone can better face current and growing security challenges while still delivering on the promise of digital transformation.”
The features of shared fate include default configurations designed to ensure security basics, blueprints to help customers more easily configure products and services, and secure policy hierarchies so policy intent is automatically enabled across the entire infrastructure. In addition, Google has a program that connects cloud customers with insurers who offer specialized insurance for Google Cloud workloads, providing a unique risk management component.
When comparing the Big 3, Google is in an interesting position. Mogull points out that the Google Cloud is “built on Google’s long-term engineering and global operations, which are insanely impressive.”
However, Google’s 8% market share is an issue because there are fewer security experts with deep Google Cloud experience, which translates into a less robust community and less tooling, says Mogull. Overall, Google Cloud “isn’t as mature as AWS” and doesn’t have the same breadth of security features, he says.
Google is addressing that issue with the recent announcement of something it calls “invisible security.” The idea is that Google will continue to expand its cloud-native security offerings so that organizations can reduce their reliance on third-party tools.
One example is Google’s Cloud IDS, a managed intrusion detection system that enterprises can deploy in just a few clicks to protect themselves against malware, spyware, command-and-control attacks, and other network-based threats.
Microsoft Azure tackles multi-cloud security
Microsoft has launched an effort to address the challenge of securing multi-cloud environments with the release of Microsoft Defender for Cloud, which provides cloud security posture management (CSPM) and cloud workload protection (CWP) across Azure, AWS and Google Cloud.
The goal is to find weak spots across cloud configurations, help strengthen the overall security posture and protect workloads against evolving threats across multi-cloud and hybrid environments. Microsoft Defender for Cloud covers virtual machines, containers, databases, storage, and application services.
However, the shared responsibility model remains in place on the Azure cloud. Organizations are responsible for protecting the security of their data and identities, on-premises resources, endpoints, accounts, and access management.
Mogull says that Azure is just a bit “rougher around the edges in terms of maturity” than AWS, specifically in areas of consistency, documentation, and the fact that many services default to less secure configurations. Azure does have some advantages. Azure Active Directory can be linked to enterprise Active Directory to provide a single source of truth for authorization and permissions management, which means everything can be managed from a single directory. Azure’s identity and access management is very hierarchical out of the box and easier to manage than AWS, says Mogull.
In term of market momentum, Mogull says that “Microsoft is coming on strong” because it knows how to leverage its existing relationships with enterprise customers. However, he cautions that enterprises should consider that security is not baked into the DNA of Microsoft the way it is at pure-play security vendors.
Amazon Web Services (AWS) offers broad security toolset
As the oldest and most dominant vendor, AWS has an advantage when it comes to knowledge and tooling. “It’s easier to get answers, find help, and find supported tools. This is on top of the platform’s overall maturity and scope,” says Mogull.
AWS has a huge marketplace of third-party vendors and has a variety of add-on offerings, as well as advisory, consulting, training, and certification services. Marks points out that AWS “has put a lot of thought into the features they have.” She cites Inspector, a service that continuously scans Amazon EC2 instances and container images for software vulnerabilities and unintended network exposures.
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Those add-on services and others fall under the umbrella of the AWS Security Hub, which collects security data from AWS services and third-party partners and provides a consolidated view of a customer’s security status.
Mogull adds, “Two of the best AWS security features are their excellent implementation of security groups (firewalls) and granular IAM.” However, AWS security is based on isolating services from each other unless access is explicitly enabled. This works well from a security perspective, but the tradeoff is that it makes enterprise-scale management more difficult that it has to be and makes it more difficult to manage IAM at scale, says Mogull. “Despite those limitations, AWS is usually the best place to start, where you run into the fewest security issues.”
Copyright © 2022 IDG Communications, Inc.