The Big Three cloud service providers (CSPs) are Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. All three offer security tools to their customers, with the range of solutions continually expanding.
But can these tools fully protect your cloud infrastructure, web applications, and APIs?
In this article, we’ll survey the tools available from these CSPs, discussing what they can and cannot do, and the additional capabilities that are necessary for your organization to achieve total protection.
The Big Three: An Overview
AWS, GCP, and Azure offer web security tools that have some differences, yet are still similar in many ways.
AWS has a number of security products, including AWS WAF (Web Application Firewall), which is a complex infrastructure protection solution. Meanwhile, among GCP’s security products are its firewalls, Cloud Security Command Center, and Cloud Armor. Microsoft provides various Azure security products, especially Azure Security Center for management and Azure Web Application Firewall for traffic filtering.
Let’s discuss these services, and see what they offer.
Built-In Tools: Their Strengths
Each of the products described above are designed to filter incoming traffic, blocking hostile requests. Their primary benefit is that they are native products, built into the cloud infrastructure. It is very simple to deploy them, and they are integrated with the other related products (such as logging and reporting) offered by each CSP.
A second benefit is their competitive pricing. Some are even free (but see the discussion below about this).
A third benefit is that these products include some prebuilt security policies. For example, Google’s Cloud Armor offers a number of pre-configured WAF rules—tested and ready to use—to protect against SQL injection, Cross-Site Scripting (XSS), remote file inclusion, and remote code execution attacks.
Built-In Tools: Their Weaknesses
The most significant problem with these services is that they do not provide full protection. For example, the DDoS products are primarily meant to filter attacks on layer 4 and below.
As for the WAF products, their preconfigured rulesets work well within their scopes. Unfortunately, their scopes are very limited; these rulesets only cover a fraction of the wide variety of threats that are prevalent today.
Of course, administrators can create additional security policies. But this highlights another problem; administrators must be security experts in order to create correct, effective, and comprehensive rulesets. And the price of failure is high; an incorrect or incomplete configuration creates a high probability that security gaps will remain in the system.
Another issue is ongoing maintenance. Today’s threat environment is constantly evolving. The CSP security products require your team to stay up-to-date with what’s going on; this involves monitoring CVE databases, following security professionals on social media, attending live events, checking risk-advisory feeds, and more. All of these tasks are very time-consuming, and again, have a high cost of failure when not done consistently.
Finally, there is the matter of costs. There is often no charge for using the basic security tools provided by the Big Three. For example, AWS Shield is available to AWS customers for free—but only in the Standard version. Features like elastic load balancing and rate-based rules are only available in the paid version (AWS Shield Advanced). Some features become more costly as they are used more extensively; for example, Azure Web Application Firewall charges for rules (custom rules cost $1 per unit each month, and managed rulesets cost $20 per unit each month plus $1 per million requests). And for the CSPs’ security offerings overall, 24/7 support is strongly recommended (because it will probably be needed at some point)—but this too is only available in the paid products.
Are These Tools Enough? No.
The Big Three’s native security products are often portrayed as powerful, free tools. However, this portrayal is misleading. Yes, some of the tools are free, but they have limited scope. The paid tools are better, but they still don’t provide full protection. And on the web today, partial protection is essentially no protection.
Achieving Complete Security
For full protection in the current threat environment, you need a dedicated, complete solution.
Reblaze is a comprehensive web security platform that includes a next-gen WAF, multi-layer DDoS protection, bot management, API security, ATO (Account Takeover) prevention, and more. It provides full-scope protection against the plethora of threats on today’s Internet.
Reblaze runs natively on the Big Three CSPs, and is fully integrated with their built-in security capabilities, automating and extending them. Examples:
- In an AWS environment, Reblaze converts AWS WAF and AWS Shield into an autonomous system which reacts immediately to every type of attack.
- In a GCP environment, Reblaze converts Cloud Armor into an autonomous system: Reblaze identifies hostile traffic, and Cloud Armor immediately blocks it at the edges. Traffic data is streamed into Cloud Security Command Center.
- In an Azure environment, Reblaze extends and completes the Azure WAF, providing comprehensive web security and streaming traffic data into Azure Security Center.
Reblaze is a fully managed solution, maintained remotely by Reblaze’s team of security experts. When you protect your sites, services, and applications with Reblaze, your web security is always up-to-date and always effective.
There’s much more that can be said about Reblaze. To get a demo, contact us.