Among the biggest considerations companies face when selecting public cloud service providers is the level of cyber security they offer, meaning the features and capabilities they put in place to protect their own networks and services and to keep their customers’ data safe from breaches and other attacks.
The three major cloud providers -- Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) -- each take security seriously for obvious reasons. One well-publicised security breach that ends up being blamed on their services could scare off untold numbers of prospective customers, cost millions of dollars in losses, and possibly lead to regulatory compliance penalties.
Here’s what the big three cloud providers are providing in four key areas of cyber security.
Network and infrastructure security
Amazon Web Services
AWS provides several security capabilities and services designed to increase privacy and control network access. These include network firewalls that allow customers to create private networks and control access to instances or applications. Companies can control encryption in transit across AWS services.
Also included are connectivity options that enable private or dedicated connections; distributed denial of service mitigation technologies that can be applied as part of application and content delivery strategies; and automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities.
Microsoft Azure runs in data centres managed and operated by Microsoft. These geographically dispersed data centres comply with key industry standards for security and reliability, according to the company. The data centres are managed, monitored, and administered by Microsoft operations staff with years of experience.
Microsoft also conducts background verification checks of operations personnel and limits access to applications, systems, and network infrastructure in proportion to the level of background verification.
Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted scalability. Azure Firewall can decrypt outbound traffic, perform the required security checks, and then re-encrypt the traffic before forwarding it to its destination. Administrators can allow or deny user access to website categories such as gambling, social media, or others.
Google Cloud Platform
The company has designed and implemented hardware specifically for security, such as Titan, a custom security chip that GCP uses to establish a hardware root of trust in its servers and peripheral devices. Google builds its own network hardware to improve security. This all rolls up into its data center designs, which include multiple layers of physical and logical protection.
On the network side, GCP has designed and continues to evolve the global network infrastructure that supports its cloud services to withstand attacks such as distributed denial-of-service (DDoS) and protect its services and customers. In 2017, the infrastructure absorbed a 2.5 Tbps DDoS, the highest-bandwidth attack reported to date.
In addition to the built-in capabilities of its global network infrastructure, GCP offers network security capabilities that customers can choose to deploy. These include cloud load balancing and Cloud Armor, a network security service that provides defences against DDoS and application attacks.
Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit. It encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google.
Identity and access control
Amazon Web Services
AWS offers capabilities to define, enforce, and manage user access policies across AWS services. These include AWS Identity and Access Management (IAM), which lets companies define individual user accounts with permissions across AWS resources, and AWS Multi-Factor Authentication for privileged accounts, which includes options for software-based and hardware-based authenticators.
AWS IAM can be used to grant employees and applications federated access to the AWS Management Console and AWS service APIs, using existing identity systems such as Microsoft Active Directory or other partner offerings.
AWS also offers AWS Directory Service, which lets organisations integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience, and AWS Single Sign-On (SSO), which enables organisations to manage user access and user permissions to all of their accounts in AWS.
Azure Active Directory (Azure AD) is an enterprise identity service that provides single sign-on, multi-factor authentication, and conditional access to Azure services as well as to corporate networks, on-premises resources, and thousands of SaaS applications.
Azure AD enables organisations to protect identities with secure adaptive access, to simplify access and streamline control with unified identity management, and to ensure compliance with simplified identity governance. Microsoft says it can help protect users from 99.9 per cent of cyber security attacks.
Google Cloud Platform
Google’s Cloud Identity and Access Management offers several ways to manage identities and roles in Google Cloud. For one, Cloud IAM lets administrators authorise who can take action on specific resources, providing full control and visibility to manage GCP resources centrally. In addition, for enterprises with complex organisational structures, hundreds of workgroups, and many projects, Cloud IAM provides a unified view into security policy across the entire organisation, with built-in auditing to ease compliance processes.
Also available is Cloud Identity, an identity as a service (IDaaS) offering that centrally manages users and groups. Companies can configure Cloud Identity to federate identities between Google and other identity providers. GCP also provides Titan Security Keys that provide cryptographic proof that users are interacting with legitimate services (i.e. services they registered their security key with) and that they are in possession of their security key.
Finally, Cloud Resource Manager provides resource containers such as organisations, folders, and projects that allow organisations to group and hierarchically organise GCP resources.
Data protection and encryption
Amazon Web Services
AWS offers the ability to add a layer of security to data at rest in the cloud. It provides scalable encryption features including data-at-rest encryption capabilities in most AWS services including Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker.
Also available are flexible key management options including the AWS Key Management Service that lets companies choose whether to have AWS manage the encryption keys or to keep complete control over their own keys; dedicated, hardware-based cryptographic key storage using AWS CloudHSM; and encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS.
Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. Azure Key Vault is designed to streamline the key management process and enable companies to maintain control of keys that access and encrypt data. Developers can create keys for development and testing in minutes, and then migrate them to production keys. Security administrators can grant and revoke permission to keys as needed.
Microsoft Information Protection and Microsoft Information Governance help protect and govern data within Microsoft 365. Microsoft Information Protection extends data loss prevention across all of Microsoft 365 applications and services, as well as Windows 10 and Edge. Azure Purview helps organisations to understand where their structured data lives so they can better protect and govern that data.
Google Cloud Platform
Google offers Confidential Computing, what it calls a “breakthrough” technology that encrypts data in-use -- i.e., while the data is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit.
The first product in the Confidential Computing portfolio is Confidential VMs. Google already uses a variety of isolation and sandboxing techniques as part of its cloud infrastructure to help make its multi-tenant architecture secure, and Confidential VMs take this to the next level by offering memory encryption so that users can further isolate workloads in the cloud.
Another offering, Cloud External Key Manager (Cloud EKM), lets organisations use keys that they manage within a supported external key management partner to protect data within Google Cloud Platform. Companies can maintain key provenance over third-party keys, with control over the creation, location, and distribution of keys. They also have full control over who accesses their keys.
Amazon Web Services
AWS Shield is a managed DDoS protection service that safeguards applications running on the Amazon cloud. AWS Shield provides always-on detection and automatic inline mitigations designed to minimise application downtime and latency. There are two tiers of AWS Shield, Standard and Advanced.
All AWS customers are entitled to the automatic protections of AWS Shield Standard, which the company says defends against most common network layer and transport layer DDoS attacks that target websites or applications. When Shield Standard is used with Amazon CloudFront and Amazon Route 53, customers receive comprehensive protection against all known infrastructure attacks.
For higher levels of protection against attacks aimed at applications running on Amazon EC2, Elastic Load Balancing, Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, companies can opt for AWS Shield Advanced.
In addition to the network layer and transport layer protections that come with Shield Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, the cloud provider’s web application firewall.
Microsoft Cloud App Security is a cloud app security broker that combines multi-function visibility, control over data travel, user activity monitoring, and sophisticated analytics, allowing customers to identify and combat cyber threats across all of their Microsoft and third-party cloud services.
Designed for information security professionals, Cloud App Security natively integrates with security and identity tools including Azure Active Directory, Microsoft Intune, Microsoft Information Protection, and supports various deployment modes including log collection, API connectors, and reverse proxy.
Google Cloud Platform
Google Cloud Web App and API Protection (WAAP) provides comprehensive threat protection for web applications and APIs. Cloud WAAP is based on the same technology Google uses to protect its public-facing services against web application exploits, DDoS attacks, fraudulent bot activity, and API targeted threats.
Cloud WAAP represents a shift from siloed to unified application protection and is designed to deliver improved threat prevention, greater operational efficiencies, and consolidated visibility and telemetry. It also provides protection across clouds and on-premises environments, Google says.
Cloud WAAP combines three products to provide comprehensive protection against threats and fraud. One is Google Cloud Armor, which is part of GCP’s global load balancing infrastructure and provides web application firewall and anti-DDoS capabilities.
Another is Apigee API Management, which provides API lifecycle management capabilities with a heavy focus on security. The third is reCaptcha Enterprise, which provides protection from fraudulent activity, spam, and abuses such as credential stuffing, automated account creation, and exploits from automated bots.
Another GCP offering, Cloud Security Scanner, scans for vulnerabilities and insights into web application vulnerabilities and allows companies to take action before a bad actor can exploit them.