Are you currently experiencing an attack?

Are you currently experiencing an attack?

Cloud Security Wars Part 2: Native Security Tools

Part 1 of this series covered the overall security philosophy and design principles of the Big 3 cloud providers: Amazon Web Services, Google Cloud, and Microsoft Azure. A central theme for each provider was how they interpreted and applied the “shared responsibility model” and how that informed their architecture and implementation decisions.

Here in Part 2, we’ll look at the tools and services offered directly to customers, covering a variety of security areas from detection to incident response. Understanding what each provider offers (and where there are gaps) is crucial for organizations evaluating potential cloud providers.

Detection

A complex suite of security tools won’t be an effective defense against cybersecurity attacks if the attacks can’t be detected in the first place. The ability to uncover malicious behavior or even minute changes or anomalies that might be masking a larger-scale attack is crucial.

Amazon Web Services (AWS)

Of the three providers, AWS has the largest number of detection tools, all managed by a central dashboard. In AWS’ own words, its Security Hub is “a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services.”

Amazon GuardDuty is the primary threat detection service provided by AWS. It utilizes the large stream of data generated by events in your AWS account to detect and identify potential threats. For detecting network configuration issues and potential software vulnerabilities, Amazon Inspector scans your AWS account using a software agent installed on EC2 systems. Meanwhile, AWS Config enables auditing and enforcement of resource configurations on an AWS account, so any changes can be flagged. AWS CloudTrail is a centralized log destination for all UI and API calls made in an AWS account. And lastly, AWS IoT Device Defender provides comprehensive configuration monitoring and event detection for IoT devices connected to your account.

Google Cloud Platform (GCP)

Google Cloud provides Cloud Security Command Center, a centralized security management interface and dashboard that provides an overview of various assets in Google Cloud, as well as threat detection via monitoring of Cloud Audit Logs. The standard tier offers monitoring of basic, high-risk configuration issues, while the premium tier offers more comprehensive workload and runtime detection.

The Web Risk API is a unique offering, enabling customer sites to detect and warn users if they visit unsafe sites or post malicious URLs. Access Transparency is another unique service that provides near real-time notifications when a Google Cloud employee accesses your resources. Finally, Chronicle is a newer threat-detection service, provided by a spinoff out of Alphabet.

Microsoft Azure

The legacy of Microsoft’s enterprise software business can be felt in its security product offerings from Azure. Everything, including detection, has a marked focus on hybrid infrastructure, that is, cloud services combined with existing on-premises architecture. Azure Security Center is the dashboard product, integrated with PaaS services like SQL Server and storage. It utilizes agents installed on VMs and on-premises servers to analyze logs and detect anomalous or malicious behavior. There’s also Microsoft Defender for Identity, which is a cloud-based service but emphasizes protecting on-premises organizational infrastructure by integrating with on-premises Active Directory domain controllers.

Comparison

AWS provides broad coverage capabilities when it comes to detection. But to take full advantage of that visibility you have to enable several services that all carry their own fees, which can quickly add up on your monthly bill.

Google Cloud provides the most unique detection tools of the Big 3—WebRisk API and Access Transparency. However, instead of offering a dedicated installable security agent, it depends on distributed log-forwarding and analysis to detect workload and runtime attacks. Having access to these features also carries an increased cost as they require the premium-tier.

Azure’s enterprise-focus is a boon to the more traditional corporate IT infrastructure, but organizations that lean on the cloud heavily for web applications and internet services might find them lacking.

Traffic Security

Maintaining secure internet and network communication with minimal disruption is a top priority for any organization. Misconfigured firewalls, open ports, and unencrypted web services are a favorite vector for attackers. Modern cyberattacks aren’t always about compromise or exfiltration and can often include an element of disruption, utilizing large networks of compromised nodes to initiate immense, distributed denial-of-service (DDoS) attacks.

AWS

Unsurprisingly, AWS offerings focus on web applications and the infrastructure of public-facing cloud-first systems. For management, AWS provides Firewall Manager, which enables centralized configuration and management of AWS WAF, AWS Shield, and Security Groups across AWS Organizations. With AWS Shield, all resources in an account automatically have standard DDoS protection, and in the advanced version, AWS WAF, Firewall Manager, and 24/7 access to a DDoS response team are included for free.

WAF is on-demand and pay-as-you-go. It can be configured with custom rules but also comes with managed rules for common attack vectors, such as the OWASP Top 10 and emerging CVE lists.

GCP

For web application firewalling and DDoS protection, GCP offers Google Cloud Armor, which brings Google’s collective experience of mitigating DDoS attacks on some of the largest and most well-known sites. For web applications, there are preconfigured rules curated from standard OSS rulesets like OWASP ModSecurity Core, as well as the capability for custom rules. Standard, port-based firewall rules are defined at the Virtual Private Cloud (VPC) level, but approvals/denials are enforced at the instance level. The Security Command Center allows centralized management for the various GCP traffic security tools and services.

Azure

Despite the clear enterprise focus of most of its security products, Azure does provide traffic security services that cater to web applications. Microsoft offers a standard Azure Firewall as a standalone product offering, so the enterprise roots aren’t completely absent here. The Azure Web Application Firewall product comes with preconfigured rulesets from OWASP and can be scaled across a variety of Azure resources. Similar to both AWS and GCP, Azure WAF breaks DDoS protection into two tiers: a “Basic” tier included automatically on all relevant resources and a “Standard” pay-for tier with additional features. Azure Security Center functions as the dashboard service.

Comparison

All three providers are somewhat homogenous when it comes to traffic security. Each one offers Web Application Firewall (WAF) and DDoS protection, with the DDoS product broken down into free and paid tiers. AWS and GCP seem to have a broader variety of managed rulesets available, while Azure WAF is limited to the OWASP Top 10. All providers also provide a fairly similar notion of “security groups,” which offer ingress/egress port traffic rules, granular to individual resources.

An interesting footnote on traffic security is that both Google and Microsoft highlight hybrid and multi-cloud environments as being able to benefit from their offerings, whereas this language is notably absent from AWS services. Whether or not this is purely marketing, or more an indication of market share, it’s a possible data point for any organization that is considering a long-term multi-cloud strategy.

Data Protection

In the information age, data is an organization’s lifeblood. Customer data, employee data, and intellectual property data are priceless commodities, and failure to adequately protect and secure them can result in a host of bad outcomes, such as legal and financial penalties or even dissolution. So it’s no surprise that each provider offers services focused on data security, including management of the cryptographic tools used to encrypt both data and traffic.

AWS

AWS provides powerful tools for managing a company’s underlying foundation so that it can craft its own data infrastructure. Amazon Macie, an ML-enabled service scans S3 buckets for potentially sensitive data like PII and makes configuration suggestions to help protect that data. The remaining services primarily focus on making it easier to manage and configure the underlying cryptographic systems. AWS Key Management Service (KMS) offers a cloud-based hardware security module, CloudHSM, for enterprises that wish to manage their own cryptographic keys. AWS also provides a centralized way to manage SSL/TLS certificates via the AWS Certificate Manager to secure web traffic. Plus, for managing things like API keys and application secrets, there is AWS Secrets Manager.

GCP

Of the three providers, GCP offers the most in terms of tailored, managed service products, several of which provide holistic management of GCP data security. However, they still offer a standard set of baseline tools, including CloudHSM and Cloud KMS for cryptographic key management.

For overall managed data protection, Google Cloud Data Loss Prevention (DLP) scans and classifies data across GCP and even provides the ability to mask and tokenize potentially sensitive data, reducing the risk of critical data disclosure. Another managed service product, VPC Service Controls, focuses on isolating and protecting multi-tenant services, a nod to the inherent risk posed by the extensive and complex network structure of these services. At the individual computing instance level, Shielded VM provides virtual TPMs and secure boot modules to ensure that rootkits or other boot/kernel compromises are mitigated.

Azure

Azure shares some of the standard offerings of GCP and AWS, as well as unique offerings aimed at enterprise data products like SQL Server. Azure Key Vault is an all-in-one service for secrets management, cryptographic key management, and certificate management. Azure Dedicated HSM provides a hardware security module for customers that want hardware management of cryptographic keys. Azure Storage Service Encryption ensures that all data persisted to Azure Cloud is encrypted automatically. Azure also has a variety of offerings to encrypt and secure SQL Server, including Azure SQL Transparent Data Encryption and Azure Defender for SQL. Microsoft SQL is still one of the primary revenue drivers for Microsoft’s software and SaaS businesses, so this focus is no surprise.

Comparison

Google’s tailored offerings let organizations outsource some of the overhead to the platform, while Azure and AWS both provide foundational tools for managing the underlying cryptographic systems, leaving the creation of holistic policies and infrastructure to customers. However, AWS still lags a bit in some of the default settings, including S3 buckets not being encrypted at rest by default. AWS has made improvements in communicating the consequences of configuration options that make S3 buckets inadvertently accessible to the public, but misconfigured S3 buckets still seem to be an Achilles heel for multiple organizations—so much so that The Duckbill Group still regularly issues its “S3 Bucket Negligence” awards.

Incident Response

Despite a comprehensive approach to security, organizations still have to deal with attacks, compromises, and disasters on a “when” not “if” basis. When an incident does occur, the minutes and hours afterward are absolutely crucial for investigating, identifying, and, ultimately, mitigating issues. Each major cloud provider offers, at the very least, a centralized security dashboard, which is critical to managing multiple information streams during the high-stress environment of an incident.

AWS

AWS Security Hub is a dashboard service that aggregates output from multiple security services in one location. For deeper investigations into potential issues, AWS provides Amazon Detective. This uses machine learning, statistical analysis, and graph theory to create meaningful data from events and logs on an AWS account, including suspicious user behavior. If a compromise or other disaster occurs, AWS offers CloudEndure Disaster Recovery for business continuity efforts.

GCP

Of the three cloud providers, Google Cloud lags the most in terms of having direct offerings geared toward incident response. However, Security Command Center provides visibility into a variety of data streams surrounding vulnerabilities, compliance, and potential attacks.

Azure

Azure Security Center is a centralized dashboard, providing aggregated data that is crucial in forming an adequate and effective incident response. The remaining offerings, Azure Site Recovery and Azure Backup, are primarily in the business continuity category, providing geographic distributed backup and recovery of data/workloads as needed.

Comparison

AWS is the only provider that has a specific, targeted offering for incident response with Amazon Detective. Both GCP and Azure implicitly count on customers to handle more when it comes to any required investigation and forensics, primarily offering DR and continuity services (which are still very important).

The War Is Never Won

So who wins the cloud security wars? Is it AWS, the leader in cloud market share and generally regarded as the incumbent to beat? Or is it Azure, with a focus on hybrid, corporate IT, and enterprise infrastructure? Or perhaps GCP, with some of the most unique and targeted offerings in detection and data protection, is the winner?

Ultimately, the winner will be whatever vendor best fits your organization’s needs. The pace of innovation in the cloud is blistering, with new services and tools constantly being launched. Each service adds a new, key advantage but also potentially adds to the likelihood of vendor lock-in. Organizations that depend on tailored, managed-services may ultimately find the cost of migration too high.

Companies have to evaluate three things: the type of workload they intend to run, the value of specific managed service offerings, and the resources and capabilities of their in-house security staff. Organizations with web-facing, high-availability applications will want to give a hard look at AWS and GCP. Enterprise organizations with a lot of on-premises infrastructure, particularly corporate IT with an existing installed base of Microsoft licensing, will obviously lean toward Azure. Meanwhile, organizations with leaner resources will definitely appreciate the managed service offerings that handle incident response, malicious activity detection, and data protection.

Despite choosing the latest and greatest service offering, there will never be any one cloud service or platform that provides 100% end-to-end protection against attacks. In fact, the native security tools from AWS, GCP, and Azure are not enough to provide full protection, nor are they meant to do so.

The true power of the cloud lies in the ability for organizations to combine a dedicated cloud security solution, knowledge, and vendor relationships with what a given platform already provides. A diligent, multi-faceted approach to cloud security is the best way to win the digital war.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.