Cloud security, a battle of titans.

By Joshua Holden

Preamble

Amazon web services, Google Cloud and Microsoft Azure are all luminary actors in the field of cloud resourcing, all have their own approaches to tackling today's needs for small and large organizations requiring scalable, secure, and cost-effective platforms and resources.

Moving an organizations infrastructure into the cloud has never been easier or cheaper than it is now, hundreds of the largest names have now permanently turned their backs to on-premises data-centres owing to the cost reductions in hardware that quickly depreciates as well as reducing the risk of data loss and time/money losses attributed to failed infrastructure in an environment where a website being unavailable can incur monetary losses of millions of pounds per day.

The reputation of a company rests on the security of the data controlled by the organization, a simple data leak, or hacked server caused by bad security or incorrectly configured infrastructure can irreparably damage the reputation of a company and invite huge fines, thankfully when dealing with the cloud, security is only a click or two away, this blog post takes a high level look into the methodologies and approaches taken by the 3 leading cloud service providers, examining ease-of-use and effectiveness.

This post is only to serve as a high-level summary of my experiences and I invite you all to read further into the subject by visiting each vendor's websites as the topic is so vast I cannot begin to cover it in the detail it deserves.

The Providers

“Are you well-architected”, good question, and it’s a question the Amazon web-services marketing team want us to ask ourselves, when it comes to cloud security Amazon have a “5 pillars” framework, the elements (or pillars) of the framework  are:

1: Operational Excellence (How you operate your workload/groups of business applications that deliver business value)
2:Security
3:Reliability
4: Performance efficiency
5: Cost optimization

The well-architected framework was created by Amazon in 2012 after speaking to some software and infrastructure architects and putting together a framework of best practices to allow architects and solution/infrastructure designers to build and deploy faster, lower risks, make informed decisions and learn AWS best practices, but how does it achieve this?

Using the Amazon console you can run the Amazon well-architected tool which provides free architectural guidance on your infrastructure providing a list of high/medium/low issues that need to be addressed.

One of the biggest challenges and strengths of AWS is the approach to isolation by default in that every new service and account you provision is created with no access to other services or account group without first enabling the access specifically, granting access policies with IAM is of itself not a straight forward task especially as a lot of it is best done in the console using JSON strings with the specific grants and claims although the documentation showing the available configuration is excellent.

Overall AWS is the most complex cloud provider to manage from an IAM perspective and as the services and accounts scale up this becomes even more complex to juggle all of the required access to services and accounts especially when trying to talk to services in other accounts as there is no single place to manage access across groups.

Compliance

 AWS supports more security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, satisfying compliance requirements for virtually every regulatory agency around the globe, you can read more and view the whitepaper on compliance frim AWS by clicking here.

Most common AWS security controls

Guard Duty 
Guard duty is a continuous monitor that automatically consumes and analyses data from sources such as Vpc flow logs, Cloud trail management event logs, s3 data event logs, DNS logs and provides alerts and logging for data and infrastructure issues such as automatic bitcoin miner detection

WAF
WAF is an aptly named web-application firewall that protects applications against common exploits such as SQL injection and XSS attacks.

MACIE
Macie is a data security/privacy tool that uses machine learning and pattern matching to scan/discover and protect sensitive data stored in AWS such as credit card numbers and text strings with personally identifiable data.

AWS Inspector
Inspector is an automated security assessment tool, Amazon inspector allows you to automate security assessments based on best practice and common vulnerabilities, sort of a built-in penetration testing tool for checking for vulnerabilities and can provide alerts.

Cloudwatch
Amazon Cloudwatch is a monitoring service that provides actionable insights and gives an overview of operational health, Cloudwatch can be used to detect anomalous behaviour, set alarms, and provide logs and metrics to keep applications running smoothly.

Shield
Aws Shield is a distributed denial-of-service (DDoS) tool, Shield protects against all common DDoS attacks but when used in conjunction with AWS Route55 and  CloudFront  then full protection for all known attack kinds across layer 3 (network) and layer 4 (transport)

Security groups
Security groups AKA virtual firewalls control inbound and outbound traffic, security groups are stateful and are intelligent enough to allow responses back in regardless of inbound rules.
As with all amazon controls, when created no access will be allowed and grant rules have to be explicitly added, denial rules are implicit by absence and work on an instance level allowing subnets to be assigned, different security groups.

KMS (Key management server)
AWS KMS allows you to securely store and create cryptographic keys and control usage and access across a large swathe of AWS services and in your applications with access logging ensuring keys can be consumed and accessed only by entities that require them.

AWS secret manager
Much like KMS, but for secret strings of data such as OAUTH tokens, database connection strings, and API keys, KMS allows for granular control of who and what can access sensitive strings of data.

Microsoft Azure’s ease of use and excellent UI design makes this provider my favourite, but just because it is my subjective favourite provider this doesn’t mean they have the best approach to security, in-fact if the Motto of AWS was to be “Isolation as standard” then Azure’s motto would be “Isolation by configuration”.. what I mean by this is that most of Azure’s controls as standard start off wide open, take for example creating a new virtual machine, once created all ports are open then it’s up to you to make sure the correct controls are put into place to close any access not required.

I don’t think this approach is bad per-Se, just different but actually, I prefer it as both AWS and Google cloud take a by default deny standpoint meaning that with Azure you can be up and running much quicker than start locking down access once a solution has been designed.

Further to this, as I mentioned previously it’s extremely time-consuming and complex setting up access groups in AWS since AWS dictates that users are set up for every account and there is no single place to configure the access, instead of in Azure there is a single point of truth “Azure Active Directory” which allows users to be created and managed from a single point.

Azure also has a great security centre for monitoring and reporting on security issues

 

The main negative point from my perspective and experience with Azure is the lack of documentation, meaning sometimes it can be trial and error to configure some things such as security groups, this may be due-in-part to the fact that Azure is much younger than AWS and has not had the full length of time to mature documentation wise.

In summary, I feel Azure is the best provider for me but requires extra care when testing as it’s much easier to let security holes slip in due to the less secure as a standard approach which when tested and configured properly can be just as secure as any other provider assuming the extra attention is given to testing before an environment/configuration being declared production-ready.

Compliance

 AZURE have the best CSTAR rating across all 3 options and also support a massive array of security standards such as CIS Benchmark, FEDRamp, ISO27001, and much more, you can see all Azure offerings and read more by clicking here.

Most common AZURE security controls

Defender for Identity
Much like AWS guard duty, Defender for Identity (formerly known as advanced threat protection) is a cloud-based security solution that works in line with your on-premise active directory and monitors for compromised accounts, insider attacks, and malicious actions as well as to detect lateral movement and other key smells emitted by would-be-hackers trying to attack your platform by using machine learning and artificial intelligence.

Defender
Azure defender is an active monitor that scans for vulnerabilities, protects against common attacks, and provides exceptional threat protection across all cloud resources using AI.

Network security groups
Used to filter network traffic to and from Azure resources using rules specifying the port, destinations, and protocols.

Web application firewall
Prevents common attack such as XSS and SQL-Injection

Firewall
Same as an NSG (security group) but more robust and provides SNAT (source network address translation), threat intelligence filtering, and FQDN tags (tags that group-specific services such as windows updates)

Security Center
Provides a dashboard overview showing the security state of cloud resources, works closely with Azure defender.

App Service Certificates
Allows purchase and management of SSL certificates from the Azure portal.

DDoS protection service
Always-on monitoring and automatic network protection service providing rapid response to the denial of service attacks preventing possible downtime.

Azure Active Directory
Access management, grant roles groups, and permissions to users from a single page.

Application Insights
Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies and provide analytics to assist resolution.

Monitor
Collects and analyzes telemetry from the cloud and on-prem infrastructure allowing you to act and report as well as providing alerts.

Key Vault
Secures secrets such as API keys, database connection strings and much more so you don’t have to include sensitive data in application configuration files and provide access only to entities that should have access.

Google cloud platform, of the 3 providers listed here is definitely the least mature but owing to the very nature of Google/Alphabet it is still a very strong candidate due to the experience and knowledge the company has garnered over time building their own world-class infrastructures.
As previously mentioned GCP has a default-deny approach much like AWS but it is slightly easier to manage as there is less isolation between accounts/projects and IAM can be managed from a single place.
Google also has over 15 years of experience in security and applies the same security Model to GCP  as in their own applications, thing such as encryption of data in transit as standard as well as all data is encrypted on disk.
GCP also are world leaders in AI and ML so if that’s your game then it makes sense to consider GCP as your platform of choice, however like Azure and more so, owing to the age of the service experts and documentation is harder to come by than competitors, however undoubtedly in time, this will change.

Compliance

 GCP support ISO/IEC 27001, HIPPA, FEDRAMP, and SOC 1, and all products are undergoing independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards around the world. and also create resource documents and mappings against frameworks and laws where formal certifications or attestations may not be required or applied, more can be read by clicking here.

Most common Google Cloud Platform security controls

Google identities
A unified identity, access, app, and endpoint management (IAM/EMM) platform allowing administrators to quickly give users access to controls, endpoints, and applications with a single click.

Google cloud armour
Google cloud armour is both a WAF (web application firewall) and advanced DDOS protection, with cloud armour you can protect your web applications against OWASP top 10 risks and denial of service attacks.

Context-aware access
With context-aware access, you can enforce granular access controls to web apps, VMs, GCP APIs, and Google Workspace apps based on a user’s identity and context of the request without the need for a traditional VPN.

Secret manager
Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and a single source of truth to manage, access, and audit secrets across Google Cloud,

The secret manager operates on a least privilege model meaning it's easy to keep tags on who and what is consuming "secrets".

Cloud key management
A cloud-hosted key management service that lets you manage symmetric and asymmetric cryptographic keys for your cloud services the same way you do on-premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.

Chronicle
Detect everything, Google's strapline for this control, Chronicle is a petabyte-scale telemetry threat detection rules engine offering real-time threat detection that scales infinitely ingesting logs from endpoint detection and response logs, cross-layered detection logs and DNS/Proxies, etc which can then link logs together to give clear signals on threats happening, as they happen with Google level speed of search.

Policy intelligence
Policy intelligence allows you to run reports on security such as "who has access to x resource" as well as viewing logs of access attempts and quickly removing or adding access to the specific data for entity access attempts.

Policy Intelligence is also able to scan your data and configuration providing recommendations and guidance for recommended access levels and highlighting potentially over-permissive access.

Security command centre
Security command centre provides a central location in which to monitor compliance across projects and infrastructure as well as allowing you to discover misconfigurations and vulnerabilities, reporting and detecting threats on Google cloud assets.

Access transparency and access approval
Access transparency allows you to protect sensitive information such as PII by granting access only to approved entities as well as providing Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access ensuring you have an end to end data access audits.

Google cloud firewalls
compared to AWS and Azure, GCP has a lot fewer options for firewalls and security groups, however, Google does offer a single type of firewall which supports all of the good stuff such as server tagging and hierarchial rules as well as full audibility and logging.

Web risk
Web Risk is a Google Cloud service that lets client applications check URLs against Google's constantly updated lists of unsafe web resources. Unsafe web resources include social engineering sites—such as phishing and deceptive sites—and sites that host malware or unwanted software. With the Web Risk, you can quickly identify known bad sites, warn users before they click infected links, and prevent users from posting links to known infected pages from your site. Web Risk includes data on more than a million unsafe URLs and stays up to date by examining billions of URLs each day.

Binary Authorisation
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE). With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying allowing you to keep tighter control over container images running on your network.

Summary

It’s hard to pick a real winner out here, really all, 3 providers are excellent when it comes to security and with the right expert behind the wheel can all be equally secure so generally, I would say it's down to you to do the research and find the provider that fits closest to your organization's current architecture, for example, I will always err towards Azure working with the Microsoft stack due to the ease of integration with AZURE DevOps and Visual studio. 

If I had to pick a few pros and cons for each provider then the first things that spring to mind are as follows:

ProviderBiggest ProsBiggest Cons
AWSMost mature, great documentation, secure out of the boxMore time consuming to configure sometimes, UI can be a little confusing.
AzureQuickest to configure, Great UI, Good communityMore effort needs expending on security checks to make sure all holes are closed due to allowing as the default policy.
GCPBest out of the box for free security with encryption on disk and transit as standard, years of expertise in providing fast infrastructure and security.Due to a lack of maturity, finding security experts and documentation for GCP can be a little tricky sometimes.

I hope this post was useful and whets your appetite for exploring further into cloud security, thanks for reading!

Comments


Comments are closed