When most people think of DigitalOcean, they might imagine a small-ish Infrastructure-as-a-Service (IaaS) company offering cheap, reliable VPS servers. That may have been the case in the past, but today, the story is quite different.
DigitalOcean has positioned itself as a legitimate contender in the cloud platform market, offering a diverse product portfolio that aims to compete with the likes of Google Cloud, AWS, and Azure. Although DigitalOcean’s overall platform does not have the same maturity as that of its larger competitors, how does it stack up feature-wise? More importantly, how does it compare through the ever-critical lens of security?
This article is the first in a three-part series comparing DigitalOcean to the “Big Three” cloud providers. Before diving into specific products and their security capabilities, this post will provide a high-level comparison of product features and overall security philosophy.
Overview of DigitalOcean’s Security Model
One of the most important aspects of a cloud provider’s security posture is understanding its interpretation of security responsibilities.
In what’s generally referred to as the “shared responsibility model,” cloud providers view security from both the perspective of their internal infrastructure as well as that of their customer-provisioned infrastructure. Both customer and provider “share” a responsibility to secure their infrastructure, owing to their obvious mutual interest in a strong security posture in a highly scalable, shared computing environment.
DigitalOcean publishes their security data and content on their “Trust Platform” page, complete with an FAQ that offers a high-level overview of their take on the shared responsibility model. Functionally, it’s very similar to that of other providers, although it is more specific and talks about where responsibilities are assigned, based on the level of abstraction. This is in contrast to other providers, like AWS, which simply states: “Customer responsibility will be determined by the AWS Cloud services that a customer selects.”
Next, let’s look at the similarities between the overall product portfolio of DigitalOcean and its competitors.
Similarities to the Big Three
Most organizations that have or are seeking cloud services have similar needs and goals, which are reflected in the core products of providers: access to highly scalable, geographically specific managed services and niche offerings. In this respect, DigitalOcean is fairly aligned with the big three, as it offers compute, storage, databases, managed application hosting, and API access.
Among DigitalOcean’s first products, and what it is typically most recognized for, are its virtual machines, referred to as “droplets.” These are comparable to AWS EC2 nodes, Google Compute Engine VMs, and Azure VMs. From a features perspective, droplets are pretty similar to other provider VMs: They offer various Linux distributions as an operating system; have tiered pricing based on the amount of configured resources; and provide categorized offerings for general purpose, CPU, memory, and storage-optimized plans.
In terms of security, droplets operate behind DigitalOcean Cloud Firewalls. Customers can associate droplets directly to firewalls or by using tags to group similar resources. These operate in a similar fashion to AWS EC2 security groups: stateful, network-based firewalls that deny by default.
DigitalOcean also offers hosted Kubernetes, utilizing droplets as the underlying compute resource and managing the Kubernetes control plane, master node, and underlying infrastructure. Like other managed services, the burden of security under the shared model falls on the provider for the underlying resources.
Like other providers, DigitalOcean also offers object and file-level storage products for customers. “Spaces” is an object storage service akin to Amazon S3, Azure Blob Storage, or GCP Object Storage. Owing to the ubiquitous market penetration of S3, DigitalOcean even bills S3 compatibility as a headlining feature of Spaces. For file-level storage, customers can provision block storage volumes that can be attached to droplets and function similarly to attached storage devices.
Spaces also offers full-disk encryption for the file objects stored within it, and you can control access via API keys and permission policies. Block storage volumes are encrypted at rest and are only accessible from within their cluster. Customers can choose to further encrypt their file systems via tools like LUKS.
Virtual Private Clouds (VPCs) are logical network definitions of various network and compute architectures residing within the same traffic “boundaries.” All cloud providers, including DigitalOcean, provide some form of VPCs. Within the network category, DigitalOcean also offers DNS, load balancers, and some IPv6 support.
The security options for networking products are somewhat lacking on DigitalOcean, as traffic control is limited to logical VPC boundaries and the droplet cloud firewall configurations. DigitalOcean’s DNS and load balancers both support Let’s Encrypt SSL certificates.
Managed database services are one of the key selling points of cloud services today, abstracting away the headache of complex operational management and security.
DigitalOcean provides three database offerings, all as managed services. Customers can provision PostgreSQL, MySQL, and Redis, all in single-node or high-availability clusters. For each product, data is encrypted at rest via LUKS and in transit via SSL. DigitalOcean manages the operational security of the underlying infrastructure.
Managed Application Hosting
DigitalOcean offers managed app hosting via its “App Platform” product, in the same category as AWS Elastic Beanstalk, GCP App Engine, and Azure App hosting.
Like other managed services, DigitalOcean handles security and operations for the underlying infrastructure. Automatic SSL/TLS certificates are provided, as well as automatic DDoS mitigation.
Another attractive feature of cloud-based infrastructure is the ability to manage it programmatically via an API. In parity with the other providers, DigitalOcean offers a RESTful API for viewing and managing resources in an account.
Users can generate a personal access token and define it as read-only or write and read scoping. DigitalOcean also provides OAuth support via an API, allowing outside applications limited access to DigitalOcean accounts for various use cases.
Differences from the Big Three
While DigitalOcean has come a long way since its start as a VM/VPS provider, there are still some gaps in its product offerings compared to the Big Three. Features offered in other provider’s clouds might require third-party applications or some form of service supplementation to achieve the same functionality.
DigitalOcean does not have the breadth of managed service offerings of the other providers, with some categories completely absent from its portfolio. For instance, AWS and GCP both offer managed message queue services, which are notably missing from DigitalOcean.
The security implications of this are subtle but important. Customers who cannot depend on a managed service offering are forced to spin up their own infrastructure, thereby increasing the number of deployed VMs—as well as the operational security overhead to patch and secure them.
Limited IAM Capabilities
DigitalOcean’s documentation makes it clear that its Identity and Access Management (IAM) functionality lags behind that of other cloud providers.
You can apply only very limited permission scopes to user accounts, there are no custom roles or policies, you can apply only very rough approximations of resource-based policies to teams and tagged resources, and there is no support for 2FA ephemeral credentials. In the second part of this series, we will explore IAM in more depth, and offer up some potential strategies for security.
Serverless is another product category in which DigitalOcean currently has no product offering, while AWS, GCP, and Azure all have serverless offerings of varying capability and functionality.
Continuing the theme from the previous managed services section: Serverless infrastructure can give organizations a way to utilize significant compute power without having to deal with the operational burden of maintaining and securing always-on virtual servers.
Limited Dedicated Security Offerings
Given the critical importance of security in the cloud, organizations should generally expect each provider to have a number of services and tools aimed at the various problem areas of information security. However, DigitalOcean offers only one solution for customers.
DigitalOcean’s Cloud Firewall, mentioned earlier in this article, provides a network-based stateful firewall for droplets. However, compared to the dedicated firewall, DDOS protection, and analytics products of the other providers, DigitalOcean falls far behind.
DigitalOcean: Potential Choice for Cloud Services
In terms of being a legitimate choice for cloud deployments, DigitalOcean has come a long way from its beginnings. While there are gaps in its offerings, the company’s core product portfolio could easily fill the needs of many organizations looking to deploy cloud infrastructure.
Part 2 of this series will take a deeper dive into IAM, including a high-level exploration of why it’s important, what it does, and some possible strategies to help implement identity and access controls securely on DigitalOcean.
Note: Reblaze provides comprehensive web security for Digital Ocean, and runs natively on this platform.