Comparing AWS, Microsoft and Google Cloud: Cyber security in the public cloud – Channel Asia Singapore

Adam Selipsky (CEO - AWS); Satya Nadella (CEO - Microsoft) and Thomas Kurian (CEO - Google Cloud)

Adam Selipsky (CEO – AWS); Satya Nadella (CEO – Microsoft) and Thomas Kurian (CEO – Google Cloud)

Credit: AWS / Microsoft / Google Cloud

Among the biggest considerations companies face when selecting public cloud service providers is the level of cyber security they offer, meaning the features and capabilities they put in place to protect their own networks and services and to keep their customers’ data safe from breaches and other attacks.

The three major cloud providers — Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) — each take security seriously for obvious reasons. One well-publicised security breach that ends up being blamed on their services could scare off untold numbers of prospective customers, cost millions of dollars in losses, and possibly lead to regulatory compliance penalties.

Here’s what the big three cloud providers are providing in four key areas of cyber security.

Network and infrastructure security

Amazon Web Services

AWS provides several security capabilities and services designed to increase privacy and control network access. These include network firewalls that allow customers to create private networks and control access to instances or applications. Companies can control encryption in transit across AWS services.

Also included are connectivity options that enable private or dedicated connections; distributed denial of service mitigation technologies that can be applied as part of application and content delivery strategies; and automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities.

Microsoft Azure

Microsoft Azure runs in data centres managed and operated by Microsoft. These geographically dispersed data centres comply with key industry standards for security and reliability, according to the company. The data centres are managed, monitored, and administered by Microsoft operations staff with years of experience.

Microsoft also conducts background verification checks of operations personnel and limits access to applications, systems, and network infrastructure in proportion to the level of background verification.

Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted scalability. Azure Firewall can decrypt outbound traffic, perform the required security checks, and then re-encrypt the traffic before forwarding it to its destination. Administrators can allow or deny user access to website categories such as gambling, social media, or others.

Google Cloud Platform

The company has designed and implemented hardware specifically for security, such as Titan, a custom security chip that GCP uses to establish a hardware root of trust in its servers and peripheral devices. Google builds its own network hardware to improve security. This all rolls up into its data center designs, which include multiple layers of physical and logical protection.

On the network side, GCP has designed and continues to evolve the global network infrastructure that supports its cloud services to withstand attacks such as distributed denial-of-service (DDoS) and protect its services and customers. In 2017, the infrastructure absorbed a 2.5 Tbps DDoS, the highest-bandwidth attack reported to date.

In addition to the built-in capabilities of its global network infrastructure, GCP offers network security capabilities that customers can choose to deploy. These include cloud load balancing and Cloud Armor, a network security service that provides defences against DDoS and application attacks.

Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit. It encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google.

Identity and access control

Amazon Web Services

AWS offers capabilities to define, enforce, and manage user access policies across AWS services. These include AWS Identity and Access Management (IAM), which lets companies define individual user accounts with permissions across AWS resources, and AWS Multi-Factor Authentication for privileged accounts, which includes options for software-based and hardware-based authenticators.

AWS IAM can be used to grant employees and applications federated access to the AWS Management Console and AWS service APIs, using existing identity systems such as Microsoft Active Directory or other partner offerings.

AWS also offers AWS Directory Service, which lets organisations integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience, and AWS Single Sign-On (SSO), which enables organisations to manage user access and user permissions to all of their accounts in AWS.

Microsoft Azure

Azure Active Directory (Azure AD) is an enterprise identity service that provides single sign-on, multi-factor authentication, and conditional access to Azure services as well as to corporate networks, on-premises resources, and thousands of SaaS applications.

Azure AD enables organisations to protect identities with secure adaptive access, to simplify access and streamline control with unified identity management, and to ensure compliance with simplified identity governance. Microsoft says it can help protect users from 99.9 per cent of cyber security attacks.

Google Cloud Platform

Google’s Cloud Identity and Access Management offers several ways to manage identities and roles in Google Cloud. For one, Cloud IAM lets administrators authorise who can take action on specific resources, providing full control and visibility to manage GCP resources centrally. In addition, for enterprises with complex organisational structures, hundreds of workgroups, and many projects, Cloud IAM provides a unified view into security policy across the entire organisation, with built-in auditing to ease compliance processes.

Also available is Cloud Identity, an identity as a service (IDaaS) offering that centrally manages users and groups. Companies can configure Cloud Identity to federate identities between Google and other identity providers. GCP also provides Titan Security Keys that provide cryptographic proof that users are interacting with legitimate services (i.e. services they registered their security key with) and that they are in possession of their security key.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.