, Riaan Lowe here and welcome to Cloud Provider Comparisons. In this series. We take a look at the same cloud services across different cloud. Providers.. Well, look at the similarities, the differences and anything else that might be interesting.. So we all have heard the term cloud computing and hosting resources in the cloud, but recently, with all of the security breaches happening around the world, there is a strong focus on securing resources in the cloud. In this episode. Well, explore security offerings from AWS Azure and Google Cloud. energetic music, So cloud security is actually a combination of security controls and settings and not just a single setting or checkbox.. There is often confusion around cloud, security and thats, because organizations dont always know what they are responsible, for. Whats even worse, is that some organizations think that the cloud platforms are responsible for anything security related and thats, a big problem, because its definitely not the case.. In order to better understand who is responsible for security in the cloud, we need to reference something called the shared responsibility: model., energetic music. So, in a nutshell, the shared responsibility model is a framework that helps differentiate when the cloud provider is accountable for security and when your organization is accountable for security based on what is deployed in the cloud.. Now lets take a look at the three cloud platforms approach to the shared responsibility. Model. Lets start with Azure. Azure splits responsibility into three main categories., The first the customer is always responsible.
. This is relevant to information data and devices such as mobile and PCs, as well as user accounts, which is also called identities.. The second category is less black and white and more of a gray area, as this differs based on the cloud model used, such as software. As a service or SaaS platform as a service or PaaS or infrastructure, as a service or IaaS.. Lastly, we have the category called cloud provider responsibility.. This is when the cloud provider is solely responsible for security, whether the service is SaaS, PaaS or IaaS.. An example of this would be the physical infrastructure in the data centers hosting these services. AWS has taken a more simplistic approach to the shared responsibility model and split it into two sections.. The first customers are responsible for security in the cloud.. Users are responsible for their own data, user accounts applications and so forth. AWS is responsible for security of the cloud, and this includes underlying hardware within the data. Centers such as physical hosts, storage and networking. Googles approach to the shared responsibility model is a bit more complex. As they specify in detail in each instance, who is responsible for security., Well be sure to leave a link in the description. If you want to take a look., But in general all three cloud providers follow the same principles for shared responsibility. They just have slightly different approaches. melodious music, As we just saw under the different shared responsibility models. Organizations are responsible for user accounts.
. This forms part of what is called identity and access management or IAM for short. IAM is a term used for defining user access with a privileged role, also known as role based access. Control. Lets take a look at what options are available across Google Cloud Platform AWS and Azure.. There are some shared user and IAM features found across all three platforms, including multifactor authentication, also known as MFA, single sign on also known as SSO built in role based access control, also known as RBAC and custom role based access. Control., One key difference, though, across the platforms is privileged access, management or PAM, which is used to manage privileged accounts for users or resources deployed based on IaaS, PaaS or SaaS.. Azure offers a service called Privileged Identity Management, which includes just in time, privilege access to Azure, AD and Azure Resources., AWS and GCP dont have a built in feature to address PAM. However, you are able to deploy a third party solution to address this via the Marketplace. melodious music Lets go ahead and compare some of the IAAS workload security solutions, each platform offers. In terms of distributed denial of service protection Azure calls their offering unsurprisingly DDOS. Protection. AWS has Shield and GCP has Google Cloud Armor. In terms of features. They all in principle do a similar thing. When it comes to secrets management. Azure has a service called Key Vault, which is used to store secrets like passwords and keys, and it also supports storing of certificates.
AWS calls their offering Secrets Manager. It is used for storing secrets only, although it also provides a mechanism for storing certificates. GCP Secrets Manager works the same as the other platforms and provides the functionality to store passwords and certificates. For virtual private networking. Aws VPN supports point to site and site to site options with a site to site connection limit of 10 connections for a VPN, gateway. Azure VPN gateway, supports point to site and site to site VPNs, with a limitation of a maximum of 30 site to site connections Per VPN gateway. Google Cloud VPN only supports site to site VPN connections and does not currently support point to site connections. melodious music. Next up lets have a look at how the platforms approach platform as a service or PaaS security. Lets focus on securing data. As this hosts important organizational or customer information, which is one of the main goals for hackers. All three cloud platforms – support the following: security controls from a database point of view. Identity and access management policies or IAM policies, firewall rules which includes IP whitelisting. This is where organizations can expose databases through the internet, but only allow the organizations public IP address to connect to it, encryption in transit or TLS. This specifies if the database supports secure connections to it, encryption at rest or TDE. This specifies if the database supports encryption address by means of hard drive level encryption. melodious music. Most organizations have to comply to a set of security standards and the same rules apply for cloud.
Workloads. Lets take a moment to understand how the cloud platforms help organizations meet cloud security. Compliance. Azure has the Azure Security Center. Gcp has the Trust and Security Center and AWS calls their security assessment service, Amazon, Inspector. Compliance tools on all three cloud platforms support the most compliance standards, such as ISO, 27001, PCI DSS and many more.. These tools have the capability to audit the resources deployed and advice on security, best practices to ensure your environment is secure and you have not missed anything major from a security or configuration point of view. melodious music. Lastly, its worth mentioning that each cloud platform offers a marketplace where customers can make use of third party vendor applications to meet specific security. Requirements., AWS and Azure is leading the way on this with GCP trying to catch up.. So, at the end of the day, when you choose a cloud provider, there are multiple security decisions to make alongside other considerations such as pricing, hybrid identities and skills to support your solutions.. If you want to learn more, have a look at A Cloud Gurus courses in cloud security for a more in depth, breakdown and hands on approach. Thanks for watching stay, safe and keep being awesome Cloud, Gurus.