Cloud security, a battle of titans.

By Joshua Holden

Preamble

Amazon web services, Google Cloud and Microsoft Azure are all luminary actors in the field of cloud resourcing, all have their own approaches to tackling today's needs for small and large organizations requiring scalable, secure, and cost-effective platforms and resources.

Moving an organizations infrastructure into the cloud has never been easier or cheaper than it is now, hundreds of the largest names have now permanently turned their backs to on-premises data-centres owing to the cost reductions in hardware that quickly depreciates as well as reducing the risk of data loss and time/money losses attributed to failed infrastructure in an environment where a website being unavailable can incur monetary losses of millions of pounds per day.

The reputation of a company rests on the security of the data controlled by the organization, a simple data leak, or hacked server caused by bad security or incorrectly configured infrastructure can irreparably damage the reputation of a company and invite huge fines, thankfully when dealing with the cloud, security is only a click or two away, this blog post takes a high level look into the methodologies and approaches taken by the 3 leading cloud service providers, examining ease-of-use and effectiveness.

This post is only to serve as a high-level summary of my experiences and I invite you all to read further into the subject by visiting each vendor's websites as the topic is so vast I cannot begin to cover it in the detail it deserves.

The Providers

“Are you well-architected”, good question, and it’s a question the Amazon web-services marketing team want us to ask ourselves, when it comes to cloud security Amazon have a “5 pillars” framework, the elements (or pillars) of the framework  are:

1: Operational Excellence (How you operate your workload/groups of business applications that deliver business value)
2:Security
3:Reliability
4: Performance efficiency
5: Cost optimization

The well-architected framework was created by Amazon in 2012 after speaking to some software and infrastructure architects and putting together a framework of best practices to allow architects and solution/infrastructure designers to build and deploy faster, lower risks, make informed decisions and learn AWS best practices, but how does it achieve this?

Using the Amazon console you can run the Amazon well-architected tool which provides free architectural guidance on your infrastructure providing a list of high/medium/low issues that need to be addressed.

One of the biggest challenges and strengths of AWS is the approach to isolation by default in that every new service and account you provision is created with no access to other services or account group without first enabling the access specifically, granting access policies with IAM is of itself not a straight forward task especially as a lot of it is best done in the console using JSON strings with the specific grants and claims although the documentation showing the available configuration is excellent.

Overall AWS is the most complex cloud provider to manage from an IAM perspective and as the services and accounts scale up this becomes even more complex to juggle all of the required access to services and accounts especially when trying to talk to services in other accounts as there is no single place to manage access across groups.

Compliance

 AWS supports more security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, satisfying compliance requirements for virtually every regulatory agency around the globe, you can read more and view the whitepaper on compliance frim AWS by clicking here.

Most common AWS security controls

Guard Duty 
Guard duty is a continuous monitor that automatically consumes and analyses data from sources such as Vpc flow logs, Cloud trail management event logs, s3 data event logs, DNS logs and provides alerts and logging for data and infrastructure issues such as automatic bitcoin miner detection

WAF
WAF is an aptly named web-application firewall that protects applications against common exploits such as SQL injection and XSS attacks.

MACIE
Macie is a data security/privacy tool that uses machine learning and pattern matching to scan/discover and protect sensitive data stored in AWS such as credit card numbers and text strings with personally identifiable data.

AWS Inspector
Inspector is an automated security assessment tool, Amazon inspector allows you to automate security assessments based on best practice and common vulnerabilities, sort of a built-in penetration testing tool for checking for vulnerabilities and can provide alerts.

Cloudwatch
Amazon Cloudwatch is a monitoring service that provides actionable insights and gives an overview of operational health, Cloudwatch can be used to detect anomalous behaviour, set alarms, and provide logs and metrics to keep applications running smoothly.

Shield
Aws Shield is a distributed denial-of-service (DDoS) tool, Shield protects against all common DDoS attacks but when used in conjunction with AWS Route55 and  CloudFront  then full protection for all known attack kinds across layer 3 (network) and layer 4 (transport)

Security groups
Security groups AKA virtual firewalls control inbound and outbound traffic, security groups are stateful and are intelligent enough to allow responses back in regardless of inbound rules.
As with all amazon controls, when created no access will be allowed and grant rules have to be explicitly added, denial rules are implicit by absence and work on an instance level allowing subnets to be assigned, different security groups.

KMS (Key management server)
AWS KMS allows you to securely store and create cryptographic keys and control usage and access across a large swathe of AWS services and in your applications with access logging ensuring keys can be consumed and accessed only by entities that require them.

AWS secret manager
Much like KMS, but for secret strings of data such as OAUTH tokens, database connection strings, and API keys, KMS allows for granular control of who and what can access sensitive strings of data.

Microsoft Azure’s ease of use and excellent UI design makes this provider my favourite, but just because it is my subjective favourite provider this doesn’t mean they have the best approach to security, in-fact if the Motto of AWS was to be “Isolation as standard” then Azure’s motto would be “Isolation by configuration”.. what I mean by this is that most of Azure’s controls as standard start off wide open, take for example creating a new virtual machine, once created all ports are open then it’s up to you to make sure the correct controls are put into place to close any access not required.

I don’t think this approach is bad per-Se, just different but actually, I prefer it as both AWS and Google cloud take a by default deny standpoint meaning that with Azure you can be up and running much quicker than start locking down access once a solution has been designed.

Further to this, as I mentioned previously it’s extremely time-consuming and complex setting up access groups in AWS since AWS dictates that users are set up for every account and there is no single place to configure the access, instead of in Azure there is a single point of truth “Azure Active Directory” which allows users to be created and managed from a single point.

Azure also has a great security centre for monitoring and reporting on security issues