For most organizations, evaluating a potential cloud provider is about the “bread and butter” services: compute, storage, databases, and networking. Most legacy, on-premises architectures are composed primarily of these categories, and potential cloud customers will pay close attention to advantages, trade-offs, and critical security capabilities.
In this final part of our three-part series (previous articles: Securely Using DigitalOcean, Part 1 and Part 2), we explore the security features and capabilities of DigitalOcean’s primary service offerings—networking, storage, databases, and compute—and how they compare to AWS, GCP, and Azure.
One of the most critical elements of cloud infrastructure is the underlying network. The flow of information between nodes is the reason distributed systems like “clouds” can function. However, networking in the context of a cloud brings unique security challenges that would not typically be present in a traditional on-premises model. AWS, GCP, and Azure all offer specialized security services (such as GCP security services) to help aid customers with securing their deployments, so how does DigitalOcean fare?
Mirroring the big three, DigitalOcean offers logical network definitions in the form of Virtual Private Clouds (VPCs). A VPC is used to isolate cloud resources and their respective traffic within a logically defined network. Typical features of VPCs include some form of NAT/gateway, private subnetting, firewalling, and traffic monitoring.
Unfortunately, compared to the other providers, DigitalOcean’s VPC security offerings are spartan at best—and nonexistent at worst. Firewalls can only be applied at the Droplet level, and custom routing or firewalling requires manually configuring a Droplet to act as a gateway for the VPC. The other providers enable customers to configure features like Access Control Lists (ACLs), DDOS protection, and application firewalls. Augmenting the existing features will require utilizing a third-party solution, such as the Reblaze cloud security platform, while other monitoring features, like flow logs, are notably absent (which again, argues for using a solution such as Reblaze, which includes inherent full traffic visibility, SIEM/SOC integrations, etc.)
The rest of DigitalOcean’s networking features provide some functional parity with the Big 3, but overall, they lack the depth provided by the competition. For example, DigitalOcean only offers network load balancers. The ability to securely route layer-7 traffic and parse header information is highly valued for modern application deployments, and DigitalOcean customers will be forced to adapt their own solution if they need such capabilities.
Storage and Databases
Like the Big 3, DigitalOcean offers multiple storage and database options for customers to store, access, and query important data. However, the emphasis on data in the application stack and the need to read and write from it quickly and efficiently has given rise to a multitude of highly performant and niche solutions from each provider. Organizations wanting to offload the high operational and security overhead of managing data infrastructure look to these managed solutions (and their security capabilities) to alleviate some of that cost.
For basic storage, DigitalOcean offers block storage volumes, which operate in a similar fashion when compared to other offerings: They function as a more traditional network file-based virtual storage device that is typically attached to compute nodes like Droplets or EC2 instances. For security, DigitalOcean offers encryption at rest using LUKS, including snapshots. But compared to a provider like AWS, its security controls are far less granular. AWS’ key management and IAM features enable very fine-grained security controls defining which identities can or cannot access storage volumes, while DigitalOcean has no such capability.
DigitalOcean also offers Spaces, an S3-compatible object storage service, including CDN services for customers that need enhanced content delivery options. Security options include file and file-listing permissions for objects within a space, as well as SSL certificates for public spaces/CDNs. However, the lack of a dedicated IAM offering again hurts DigitalOcean here, as it limits the ability of customers to issue granular role- and identity-based permissions to spaces and objects. Permissions are issued at a high level via access keys and only for generalized read and write scopes. Customers looking to secure their Spaces would be best served by keeping any access tightly limited to a select pool of identities and users, as well as by segregating public and private Spaces.
In the database category, DigitalOcean offers three managed solutions: PostgreSQL, MySQL, and Redis. Data is encrypted in transit via SSL and at rest using LUKS. With managed services, the provider generally owns the operational overhead of backend infrastructure security. Customers are primarily responsible for securing access to the frontend. For this, DigitalOcean provides the ability to restrict incoming traffic to trusted sources, adding an additional layer of security beyond SSL and authentication credentials. Trusted sources can be specific Droplets or Kubernetes clusters, or IPv4 addresses.
Each of the managed database offerings from DigitalOcean requires engine-specific access and authorization management. In contrast, providers like GCP and AWS offer IAM-based authentication, enabling customers to avoid the need for hard-coded credentials or direct access management via the database. Those looking for a NoSQL database will need to deploy their own solution via Droplets, as DigitalOcean lacks a true, document-based managed NoSQL offering. While this may not have an apparent impact on security, it forces ownership of the security posture entirely on the customer, eliminating the benefits gleaned from the shared responsibility model inherent in most cloud services.
The linchpin of most digital infrastructures is, quite simply, raw compute. Even the most complex managed services are typically built on top of the basic building blocks of a virtualized server infrastructure. One of DigitalOcean’s first service offerings was its virtual private servers (VPS), known as “Droplets.” Since then, the company has expanded its compute portfolio to accommodate a growing diversity of needs, including application hosting and Kubernetes.
DigitalOcean customers can utilize a few options to secure their Droplet infrastructure, such as account and team management to logically segregate access to Droplets based on context and usage, while direct access to the underlying operating system can be managed via DigitalOcean Cloud Firewalls and SSH keys. Again, the lack of a dedicated IAM offering limits the amount of access and authorization controls you can easily implement across DigitalOcean’s infrastructure. Customers are left to implement their own solutions if they require more elaborate, fine-grained management. Engineering teams that need to deploy a larger-scale Droplet infrastructure can utilize tools like Terraform and Ansible; they should also limit write access to non-interactive, automated services like CI/CD. Removing the need for identity management will enable them to sidestep the lack of a provided IAM service.
Mirroring offerings like AppEngine, Heroku, and Elastic Beanstalk, DigitalOcean offers App Platform as their Platform-as-a-Service (PaaS) service. The main value proposition here is that developers can quickly set up a fully featured application infrastructure, including a database backend, with just a compatible source code repository and a few clicks. DigitalOcean takes care of managing the backend infrastructure and automatically provides SSL/TLS certificates and its DigitalOcean DDoS mitigation for all product tiers. Users that upgrade from the Starter tier will also have access to automatic OS patching.
DigitalOcean has also jumped on the Kubernetes train, offering a managed service that lets customers deploy containerized applications without having to deal with the inherent complexities of managing Kubernetes. DigitalOcean Kubernetes (DOKS) integrates with DigitalOcean LoadBalancers and Block Storage as well. While a managed service abstracts away a lot of the security and operational overhead, there are still limited first-party security options for customers to utilize. However, since DOKS allows you to use kubectl, you should be able to implement any compatible service. A good solution for augmenting visibility and security is to deploy Envoy and Curiefense as a sidecar.
Serverless is an obvious gap in DigitalOcean’s compute portfolio. Organizations looking for Functions-as-a-Service (Faas) will need to look to AWS, GCP, or Azure to fill such a need. From a security perspective, serverless infrastructure removes a fairly broad attack vector: the runtime operating system of server infrastructure. Applications with short-lived, stateless workloads make for an excellent serverless use case, providing a much better cost ROI, as well as eliminating operational complexity and server management. Ideally, DigitalOcean will launch a competitive offering soon.
Is DigitalOcean Good Enough?
DigitalOcean has come a long way from the days of being a cheap VPS provider, and the platform has obviously matured. Does that mean it will fit the bill as a first-tier cloud provider?
The answer is: maybe. For smaller, cost-conscious teams, DigitalOcean provides a simple yet capable array of services that should be “good enough” for most application stacks. The managed application hosting is particularly attractive to lean development teams that may lack the operational and systems expertise to deploy their own solutions. However, that simplicity comes with a trade-off: The first-party security solutions offered by DigitalOcean are also simple and lack the capabilities of what the competition can offer.
For organizations and teams with more complex, diverse deployments, the Big 3 providers are probably a better solution. The added work of deploying and managing additional services and abstractions just to achieve parity with the batteries-included security offerings of AWS, GCP, and Azure typically isn’t worth the time and resources from a business value perspective.
That’s the current situation, but DigitalOcean is continuing to expand its products and services. We can watch and see when it becomes a truly competitive cloud solution, on par with what’s available on the market today.
Note: Reblaze provides comprehensive web security for DigitalOcean, and runs natively on this platform.