Cloud Security Overview Of AWS, GCP & Azure
Cloud was a hype in 2010–2011, but today it has become a necessity. With a lot of organisations moving to cloud, the need for cloud security has become the top most priority.But before that, those of you who are new to cloud computing, Cloud computing is a $136 billion industry, and it continues to grow. As consumers become more technology-savvy, individual use of cloud services enters the realm of convention. Cloud migration is picking up speed because it introduces cost-effective and flexible services into a previously expensive technological sphere. However, cloud computing also gives rise to new security challenges.
What is cloud security?
Cloud security, also known as cloud computing security, consists of a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data, and infrastructure. These security measures are configured to protect cloud data, support regulatory compliance and protect customers’ privacy as well as setting authentication rules for individual users and devices. From authenticating access to filtering traffic, cloud security can be configured to the exact needs of the business.
According to recent research, 1 in 4 companies using public cloud services have experienced data theft by a malicious actor. An additional 1 in 5 has experienced an advanced attack against their public cloud infrastructure. In the same study, 83% of organizations indicated that they store sensitive information in the cloud.
Why is cloud security important?
- Guard Against Security Breaches: The cost of an average security breach for a company is a cool $3.8 million.This figure rises to $7.9 million for American companies with an average time of 196 days for the detection of the breach in the first place. Data security on the cloud is important because you’re no longer in total control. If, for example, you choose to run your applications on either a public or hybrid cloud, you’re effectively putting your trust in a third-party.
- Manage Remote Work: One of the benefits of using cloud computing is the sheer accessibility of data. Your critical applications can be accessed by employees from anywhere in the world. If employees uses public wifi for particular tasks such as web surfing, it introduces risk of malware and phishing attacks.New malware variants for mobile increased by 54 percent in 2017 according to Symantec’s Internet Security Threat Report, so this is a real threat
- Ensure Disaster Recovery:Disaster can strike at any time, be it fire, flooding, or other natural causes.This could wipe out all of your data. Unless you’ve safely secured and protected your data, you could, potentially, be at risk of at a total standstill.
- Comply With Regulations:Data protection standards like HIPAA and GDPR are rules that businesses must take seriously –- otherwise, they will incur the wrath of regulators.These standards were put together to ensure the integrity and security of customer data.You can’t simply pass the blame on to a third-party vendor (your cloud computing provider in this case) and expect little to no retribution.
- Eliminate Weak Links and Build Access levels: 40% of organizations using cloud storage accidentally leaked data to the public. These leaks weren’t a result of malicious intent; rather, they were a result of poor security best practices. One best practice of cloud security is enforcing access controls on employees by just limiting access to data only to those individuals who need it. This makes it much harder for hackers to infiltrate and prevents errors that lead to data leaks.
Attacks & Threats For Cloud
When it comes to Cloud Security, unfortunately vulnerabilities have been found in the Cloud environment which leads to attacks. Here are some of them given below,
One of the most damaging threats to cloud computing is a Denial of Service (DoS) attack. In DoS attack, the attacker tries to prevent the legitimate users to access the resources in the cloud.In a malware injection attack, an attacker tries to insert mischievous code or service which emerges like the existing services executing in the cloud.An attacker attempts to compromise the cloud system by placing a malicious virtual machine in close propinquity to a target cloud server system and then debut a side channel attack. Authentication (attack) is a weak issue in the hosted and virtual services and is very frequently targeted.
Insider threats can be malicious — such as members of staff going rogue — but they can also be due to negligence or simple human error. Perhaps the greatest threat to a business that uses cloud computing technologies is the challenge of hijacked accounts. Sometimes it can be the case that your own system is highly secure, but you are let down by external applications.
This gives a basic idea of attacks and threats for cloud computing. Detailed Understanding of these attacks and threats is not scope of this blog. There are 3 major cloud providers in the market viz, Google Cloud Platform, Amazon Web Services and Azure by Microsoft.
Now, let’s overview cloud security features offered by each of them.
Amazon Web Services: Overview of Security Processes
Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, providing the tools that enable customers to run a wide range of applications. AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
AWS has an array of security mechanisms available to its clients. First of all, the company offers a comprehensive account- and infrastructure-wide protection. Secondly, they have additional security measures for individual AWS services. Here is a quick rundown of the available tools. AWS security tools include IAM, Trusted advisor, Key management service, Cloud Trail, Cloud Watch and AWS Config. AWS comes with variety of IT security standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70) ,FISMA, DIACAP, and FedRAMP, ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018, MTCS Level 3, etc.
While physical and environmental security is concerned AWS provides the basic must securities like Fire Detection and Suppression, Power, Climate and Temperature, Management, Storage Device Decommissioning, etc.The AWS network has been architected to permit you to select the level of security and resiliency appropriate for your workload. In network security ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. You can connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
The AWS Trusted Advisor customer support service not only monitors for cloud performance and resiliency, but also cloud security. The AWS Trusted Advisor service provides four checks at no additional charge to all users, including three important security checks: specific ports unrestricted, IAM use, and MFA on the root account.
Amazon Elastic Compute Cloud (Amazon EC2) Security includes Multiple Levels of Security, Hypervisor, Instance Isolation, Firewall, API Access and Permissions. In Elastic Block Storage (Amazon EBS) AWS provides the ability to encrypt EBS volumes and their snapshots with AES-256. Requests in AWS Direct Connect are signed with an HMAC-SHA1 signature calculated from the request and the user’s private key. Additionally, the Amazon CloudFront control API is only accessible via SSL-enabled endpoints.
Trend Micro Deep Security helps prevent network attacks with intrusion detection and prevention (IDS/IPS), shields live environment from vulnerabilities, keeps malware offloads, alerts you to suspicious changes and much more.
Alert Logic Professional — Threat Detection and Incident Management helps streamline security in AWS by deploying lightweight agents on EC2 instances for network traffic inspection.
Gemalto SafeNet ProtectV for Amazon EC2 (EC2) secures sensitive and highly-regulated data by encrypting entire virtual machine instances and attached storage volumes.
With the Gemalto SafeNet ProtectV and KeySecure solutions, Informa was able to migrate to the cloud while guarding sensitive assets against access by unauthorized users.
Tenable is used to gather live information about vulnerabilities, malware, misconfigurations, and policy violations throughout the organization.FortiGate Next-Generation Firewall technology delivers content and network protection by combining stateful inspection with a comprehensive suite of powerful security features. Application control, antivirus, intrusion prevention system (IPS) technology, web filtering, and virtual private network (VPN) along with advanced features such as an extreme threat database, vulnerability management, and flow-based inspection work in concert to identify and mitigate complex security threats.
Infocyte monitors your environment for malicious activity, performs fast AI-based risk assessments, and responds to security events in real-time. Darktrace is a Cyber AI Platform is a self-learning, dynamic defense solution that continually learns, identifies, and responds to security events.
Azure: Overview of Security Processes
Azure uses a wide array of security tools and capabilities. These tools and capabilities make it possible to create secure solutions on the secure Azure platform. Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.
Features to secure the Azure platform
The built-in capabilities are organized in six functional areas: Operations, Applications, Storage, Networking, Compute, and Identity.
- Operations: This section provides additional information regarding key features in security operations and summary information about these capabilities. Azure Security tools help for confidentiality, integrity, and availability security triad in Azure Resource Manager, Application Insights, Azure Monitor logs, Azure Advisor & Azure Security Center.
- Applications: Tinfoil security is used for Web Application vulnerability scanning. The web application firewall (WAF) helps to protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacking. It comes pre configured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities. App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. These are logically separated into web server diagnostics and application diagnostics. Web server includes two major advances in diagnosing and troubleshooting sites and applications.
- Storage: Azure role-based access control (Azure RBAC) is used to secure the storage account. A shared access signature (SAS) provides delegated access to resources in your storage account. The SAS means that you can grant a client limited permissions to objects in a storage account for a specified period and with a specified set of permissions. Encryption in Transit is a mechanism of protecting data when it is transmitted across networks, Data is secured using Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage, and Wire encryption, such as SMB 3.0 encryption for Azure File shares.
- Networking: The network access control is used to make virtual machines and services accessible to only users and devices to which users want them accessible. Network Security Groups(NSG) used to control traffic moving between subnets within an Azure Virtual Network and traffic between an Azure Virtual Network and the Internet.
Microsoft Azure Application Gateway provides an Application Delivery Controller (ADC) as a service, offering various layer 7 load balancing capabilities for your application.
Express Route: Microsoft Azure ExpressRoute is a dedicated WAN link that lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.
.
- Compute: Antimalware & Antivirus -With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats. Virtual machine backup is a solution that protects your application data with zero capital investment and minimal operating costs. Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources.
- Identity and access management: Microsoft uses multiple security practices and technologies across its products and services to manage identity and access. Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals. Password policy enforcement increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts. Azure role-based access control (Azure RBAC) enables you to grant access based on the user’s assigned role, making it easy to give users only the amount of access they need to perform their job duties. Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal data centers and cloud platforms, creating a single user identity for authentication and authorization to all resources.
Google Cloud Platform (GCP): Overview of Security Processes
Google’s long experience and success in protecting itself against cyberattacks plays to our advantage as customers of the Google Cloud Platform (GCP). From years of warding off security threats, Google is aware of the security implications of the cloud model. Thus, they provide a well-secured structure for their operational activities, data centers, customer data, organizational structure, hiring process, and user support. Here, let us understand security features in Google Cloud Platform, the tools that GCP provides for users’ benefit, as well as some best practices and design choices for security.
Security features at Google and on the GCP
Let’s start by discussing what we get directly by virtue of using the GCP. These are security protections that we would not be able to engineer for ourselves. Let’s go through some of the many layers of security provided by the GCP.
1.Datacenter Physical Security: All data centers are equipped with security lasers, biometric detectors, alarms, cameras, etc. Only a fraction of google employees have access to visit data centers.
2.Custom Hardware and Trusted Booting: Google has built each and every element in house which is not really possible for everyone. This includes hardware, software, a firmware stack, curated OS images, and a hardened hypervisor. This reduces the risk of possibility of malicious code OS image, hypervisor, or boot loader. Google has cryptographic signatures on all low-level components, such as BIOS, bootloader, kernel, and base OS, to validate the correct software stack is booting up.
3.Data Disposal: The detritus of the persistent disks and other storage devices that we use are also cleaned thoroughly by Google. Cleaning and inspections are done by different authorized persons. The result of this procedure is logged as well. Also, damaged devices are destroyed periodically. Each facility where data disposal takes place is audited once a week.
4.Data encryption: By default, GCP always encrypts all customer data at rest as well as in motion. This encryption is automatic, and it requires no action on the user’s part. persistent disks are already encrypted using AES-256 and the keys themselves are encrypted with master keys.
5.Secure service deployment: Google’s security documentation will often refer to secure service deployment, and it is important to understand that in this context, the term service has a specific meaning in the context of security: a service is the application binary that a developer writes and runs on infrastructure.
This secure service deployment is based on three attributes:
a. Identity: Each service running on Google infrastructure has an associated service account identity. Using cryptographic credentials provided to third party services, authentication and access management for specific users is done during RPCs.
b. Integrity: Google uses a cryptographic authentication and authorization at an application layer to provide strong access control at the abstraction level for interservice communication. Also, IP spoofing is avoided using ingress and egress filtering facilities at various points in their network to maximize their network’s performance and its availability.
c. Isolation: Google has an effective sandbox technique to isolate services running on the same machine. This includes Linux user separation, language and kernel-based sandboxes, and hardware virtualization. Google also secures operation of sensitive services such as cluster orchestration in GKE on exclusively dedicated machines.
6.Secure interservice communication: The term inter-service communication refers to communication between GCP’s resources and services. Google engineers on the backend are also provided special identities to access the services. Google encrypts interservice communication by encapsulating application layer protocols in RPS mechanisms to isolate the application layer and to remove any kind of dependency on network security.
a. In-built DDoS protections: DDoS is handled very well in many GCP services, notably in networking and load balancing. HTTP(S) and SSL proxy load balancers, in particular, can protect backend instances from several threats, including SYN floods, port exhaustion, and IP fragment floods.
b. Insider risk and intrusion detection: Google constantly monitors activities of all available devices in Google infrastructure for any suspicious activities. To secure employees’ accounts, Google has replaced phishable OTP second factors with U2F, with compatible security keys. Google also monitors its customer devices and a periodic check on the status of OS images with security patches.
Google-provided tools and options for security
As we’ve just seen, the platform already does a lot for us, but we still could end up leaving ourselves vulnerable to attack if we don’t go about designing our cloud infrastructure carefully. To begin with, let’s understand a few facilities provided by the platform for our benefit.
Data encryption options: We have already discussed Google’s default encryption. In addition to default encryption, there are a couple of other encryption options available to users.
a.Customer-managed encryption keys (CMEK) using Cloud KMS: This option involves a user taking control of the keys that are used, but still storing those keys securely on the GCP, using the key management service. The only GCP service that currently supports CMEK is BigQuery. b.Customer-supplied encryption keys (CSEK): Here, the user specifies which keys are to be used, but those keys do not ever leave the user’s premises. CSEK is supported by two important GCP services: data in cloud storage buckets as well as by persistent disks on GCE VMs. Losing keys won’t allow you to access your encrypted data in GCP.
Cloud security scanner: Cloud security scanner is a GCP, provided security scanner for common vulnerabilities. It is available for App Engine applications, Compute Engine VMs. This handy utility will automatically scan and detect the four common vulnerabilities, viz.,Cross-site scripting (XSS),Flash injection, Mixed content (HTTP in HTTPS) and The use of outdated/insecure libraries.
Conclusion
Here we tried to give a brief overview of what security features provided by 3 major Cloud providers.AWS is older and mature while GCP is kind of younger while Azure can be maddening at times due to lack of consistency and poor documentation. Azure is comparatively less secure because some of its default services run on less secure configurations . AWS and GCP always start with default deny, but Azure starts with default allow.
Vulnerabilities of Cloud computing are listed as those were described in the above blog, allowing us to have a full view of what are the considerations that we should keep in mind when moving on Cloud computing. It is also well understood that exhaustive risk and security control is not recommended on all Cloud computing implementations. The level of control should always depend on prior evaluation.
There are still a lot of open research areas on improving Cloud computing security, some of those are; Forensics and evidence gathering mechanisms, resource isolation mechanisms and interoperability between cloud providers.
Sources
- https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
- https://aws.amazon.com/security
- https://cloud.google.com/security
- https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf
- https://www.sdxcentral.com/cloud/definitions/google-cloud-platform-gcp-security-fundamentals/
- https://azure.microsoft.com/en-in/services/security-center/
- https://docs.microsoft.com/en-us/azure/security/fundamentals/overview