The COVID-19 pandemic brought more than just a disease and remote work, it was also the catalyst for an unprecedented growth in cybersecurity breaches. It was unavoidable, with more businesses going to the cloud and not enough education on security and networks. The moment was ripe with opportunities to exploit weaknesses and steal information or gain control of business assets.
One might be tempted to think that hackers and cybercriminals focus their efforts on big companies. Unfortunately, nothing could be further from the truth. Mid- and small-size businesses often lack knowledge in security practices, and if they are on the cloud, their accounts can be taken over and exploited for a plethora of purposes.
As a quick example, a colleague of mine discovered that because of a rookie mistake from one of their junior developers, someone had gotten ahold of their AWS account and cranked up the maximum number of allowed machines to mine for cryptocurrency—this was all in a matter of minutes.
It would have been catastrophic were it not for the fact that Amazon was quick in helping them regain access and was able to accurately pinpoint the moment when the breach happened, rolling back all changes and rescinding the charges. If this story serves as an endorsement of cloud services, it’s because it does.
Cloud services are nothing short of amazing, allowing anyone to gain access to a massive amount of computing power with a few clicks while paying for only what you use. If you are thinking about taking your business to the cloud, you have to wonder, who offers the best security practices? Let’s take a look at a cloud provider security comparison and see if we can help you make the right choice.
The Shared Responsibility Model
Cloud security is a system of options and practices. It’s not something you enable with a check box. If you post your private keys in a GitHub repository, that’s on you. Your cloud provider can only go so far in protecting your assets. This is what we call the shared responsibility model (SRM).
The SRM is a framework that helps us differentiate between when a cloud provider is accountable for security and when a business is accountable for security. Both areas in tandem make up the totality of cloud security. There tends to be confusion around cloud security because many companies are not aware of what falls on them and what’s on the cloud service provider. To make matters more confusing, each company has their own policies regarding the shared responsibility model.
Microsoft’s shared responsibility model divides the responsibilities in 3 broad and flexible categories that change depending on the type of service.
- The first category is when responsibility falls on the customer. This involves information and data, devices (PC or mobile), accounts, and access rights. In other words, if it has to do with users and how they access the network, it falls on you.
- The second category is when responsibility varies by type. In most of these cases the responsibility could fall on either Microsoft or the user depending on the situation.
- The third category is when responsibility falls completely on the provider and includes operating systems as well as the physical aspect of the cloud (be it servers, networks, or other).
In comparison, Amazon has a very straightforward model, anything that is in the cloud, information, data, accounts, access rights, network, and firewall configuration, is on the user. Anything that is of the cloud rests on Amazon’s shoulders. There is no middle ground as in Azure’s model.
In stark contrast to the other two, Google Cloud has an extremely detailed model called the responsibility matrix, which goes over each service detail by detail. There is simply too much to go over in this article, but suffice to say, it’s the most complex model of the 3. Hard to navigate as it is, it’s actually quite straightforward, since it’s worded almost like a contract.
Who Has Better Security: AWS, Azure, or Cloud?
Now, let’s compare the 3 services’ security solutions against one another.
In terms of denial of service attacks (DDOS), Azure has their own DDOS protection solution, AWS offers a service called Shield, and Google offers Google Cloud Armor. All three are fantastic solutions with very little to tell them apart.
As for safekeeping, Azure provides KeyVault, a service that stores secrets and keys and can be used to store certificates. Google Cloud has a similar product called Secret Manager, with pretty much the same functionality. While AWS also has a Secret Manager, it’s only for storing secrets, but there is a workaround to also safeguard certificates.
VPNs are a fantastic way to prevent unwanted access to your servers, and all 3 services provide a VPN solution. Azure and AWS provide site-to-site and point-to-site solutions. The former allows for up to 30 connections while the latter only allows for 10 connections. Google Cloud lags behind, only offering site-to-site solutions.
As for securing data, all 3 services provide IAM policies, Firewall rules, which includes IP whitelisting and Encryption in transit, or TLS. All 3 services are pretty similar in both functionality and usability, so it’s a three-way tie.
It’s also worth mentioning that each cloud platform offers a marketplace where customers can make use of third-party vendor applications to meet specific security requirements. AWS and Azure are outstanding in this regard, with Google Cloud trying to catch up.
Which Cloud Provider Is Most Secure?
While we could give a straight answer, the truth of the matter is that all 3 services are equally secure. Each has their own strengths and weaknesses. But out of the 40% of people who have reported data breaches in the last few years, 80% of cases can be traced back to inside jobs and bad security practices.
When choosing your cloud provider, take into account the security practices that they have in place and make sure that the team handling the project has security training pertaining to the platform—that’s the single most important tip in creating a safe cloud infrastructure.