The level of cyber security offered by public cloud service providers, i.e., the features and capabilities they put in place to protect their own networks and services and to keep the data of their customers safe from breaches and other attacks, is one of the most important considerations for companies when selecting them.
Each of the three major cloud service providers—Amazon Web Services, Google Cloud Platform, and Microsoft Azure—places a high priority on security. In the event of a well-publicized security breach, they could lose many potential customers, incur losses of millions of dollars, and face regulatory compliance penalties.
Here are the top three cloud providers’ cyber security offerings in four areas.
Security of the network and the infrastructure
Microsoft owns and operates the data centres where Microsoft Azure runs. According to the firm, these data centres are secure and reliable because they are located throughout the globe. It is the responsibility of Microsoft’s operations department to oversee the data centres and keep them running smoothly.
The level of background checks that Microsoft performs on its operations staff and the access that they have to apps, systems, and network infrastructure is proportional to that level.
Cloud-based network security service Azure Firewall provides protection for Azure Virtual Network resources. Stateful firewall as a service with built-in high availability and limitless scaling. Once the security checks have been completed, Azure Firewall can re-encrypt outbound traffic before sending it on to its destination. Gambling, social networking, and other sorts of websites can be restricted or allowed by administrators.
Amazon Web Services
Amazon Web Services (AWS) offers a wide range of security features and services that can help protect your data and regulate network access. Additionally, users have the option of creating private networks and limiting the number of people that can access specific instances or apps. AWS services allow companies to control the encryption of data in transit.
Access to private or dedicated connections, technologies to mitigate distributed denial of service, and automatic encryption of all AWS global and regional network traffic between secured facilities are all offered as well.
Google Cloud Platform
For example, GCP employs Titan, a bespoke security chip built by the firm, to establish a hardware root of trust in its servers and other peripherals. In order to enhance network security, Google creates its own hardware. In its data centre designs, numerous levels of physical and logical protection are implemented.
Protecting itself and its customers from distributed denial-of-service assaults (DDoS) is one of GCP’s top priorities when it comes to building out its global network infrastructure. To date, the infrastructure has been subjected to the highest-ever documented DDoS attack of 2.5 terabits per second (TPS).
Aside from GCP’s global network infrastructure, users can choose to deploy additional network security features. In addition, Cloud Armor, a network security service that protects against DDoS and application attacks, is available.
To secure the validity, integrity, and privacy of data while it is in transit, Google employs a variety of security measures. Data is encrypted and authenticated at one or more network tiers when it travels outside Google’s physical control.
Encoding and decryption of data
Azure Key Vault helps protect cloud apps and services’ cryptographic keys and secrets. Data access and encryption keys can be better managed using Azure Key Vault, which makes it easier for enterprises to keep track of their keys. Keys for development and testing can be generated quickly by developers, and those keys can later be converted to production keys. When necessary, security administrators can grant or remove access to keys.
Using Microsoft Information Protection and Microsoft Information Governance, Microsoft 365’s data is protected and governed. All Microsoft 365 programs and services as well as Windows 10 and Edge are covered by Microsoft Information Protection. In order to effectively safeguard and regulate their structured data, enterprises can use Azure Purview.
Amazon Web Services
AWS provides the ability to secure data in the cloud while it is in transit. Most AWS services, including Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon Elastic ache, AWS Lambda, and Amazon Sage Maker, include scalable encryption features, including data-at-rest encryption capabilities.
Flexible key management options include the AWS Key Management Service, which allows businesses to choose whether they want AWS to manage their encryption keys or keep complete control; dedicated, hardware-based cryptographic key storage with AWS CloudHSM; and encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS.
Google Cloud Platform
As part of their “breakthrough” Confidential Computing technology, Google enables data encryption while it is in use, i.e., while the data is being processed. Data is encrypted in memory and elsewhere outside the central processing unit in confidential computing settings.
Confidential VMs is the first product in the Confidential Computing line. As part of Google’s multi-tenant cloud infrastructure, Confidential VMs feature memory encryption so that users can further segregate workloads in the cloud.
Using Cloud EKM, enterprises may encrypt their Google Cloud Platform data using keys they manage through an external key management partner. Control over the creation, location and distribution of third-party keys can be maintained by companies. They can also decide who has access to their keys.
Control of access and identification
Single sign-on, multi-factor authentication, and conditional access to Azure services, as well as corporate networks, on-premises resources, and thousands of SaaS applications, are all features of Azure Active Directory (Azure AD). Secure adaptive access and unified identity management make it easier for organizations to protect their identities while simplifying access and control and ensuring compliance with simplified identity governance. Microsoft claims to be able to prevent 99.9% of cyber threats.
Amazon Web Services
An Amazon Web Services (AWS) service can design, enforce, and manage policies for a user’s access to various AWS resources. For privileged accounts, AWS Identity and Access Management (IAM) with options for software-based and hardware-based authenticators and AWS Multi-Factor Authentication (MFA) are two of the most popular choices. Users and apps can gain access to the AWS Management Console and AWS service APIs using AWS IAM by using existing identity systems like Microsoft Active Directory or other partner services.
Enterprises may decrease administrative burden and improve user experience by using AWS Directory Service, which integrates and federates with corporate directories, and AWS Single Sign-On (SSO), which allows organizations to manage user access and user rights across all their AWS accounts.
Google cloud platform
Identity and access management in Google Cloud can be done in a variety of ways with Google’s Cloud Identity and Access Management (CIAM). For starters, Cloud IAM gives administrators complete control and visibility over GCP resources by allowing them to authorize who can act on specific resources. When it comes to large organizations, Cloud IAM delivers a uniform picture of security policies across the entire organization as well as built-in auditing to make compliance processes more manageable.
Cloud Identity, an IDaaS product that centrally manages users and groups, is also an option. It is possible to integrate Google with other identity providers by configuring Cloud Identity. Also provided by GCP are Titan Security Keys, which give cryptographic verification that users are engaging with valid services (ie. services they registered their security key with) and that they are in possession of their security key.
It’s important to note that the Cloud Resource Manager provides resource containers such as groups and projects, which allow businesses to group and arrange GCP resources hierarchically.
A cloud app security broker, Microsoft Cloud App Security combines multi-function visibility, control over data travel, user activity monitoring, and advanced analytics, allowing companies to discover and address cyber threats across all their Microsoft and third-party cloud services. Cloud App Security is a native integration of security and identity tools such as Azure Active Directory, Microsoft Intune, and Microsoft Information Protection designed for information security professionals. It also supports various deployment modes such as log collection, API connectors, and reverse proxy.
Amazon Web Services
DDoS protection service AWS Shield is a managed service that protects applications hosted on Amazon’s cloud. Always-on detection and automatic inline mitigations are provided by AWS Shield to reduce application downtime and delay as much as possible. Both Standard and Advanced versions of AWS Shield are available.
AWS Shield Standard, which the firm claims protect against most typical network layer and transport layer DDoS attacks that target websites or applications, is automatically available to all clients. Customers’ infrastructure is fully protected against all known attacks when Shield Standard is deployed in conjunction with Amazon CloudFront and Amazon Route 53.
As an option for enterprises looking for more security against assaults on Amazon EC2 instances, AWS Shield Advanced can be used to shield apps running on CloudFront and Amazon Route 53. More advanced DDoS detection and mitigation are provided in the form of the AWS WAF (web application firewall) integration in Shield Advanced, in addition to the network layer and transport layer security provided by Shield Standard.
Google Cloud Platform
WAAP (Google Cloud Web App and API Protection) protects web apps and APIs from a wide range of threats. Web application exploits, DDoS assaults, fraudulent bot activity, and API-focused threats are all prevented by the same technology that powers Google’s public-facing services.
One of the most important aspects of a cloud based WAAP solution is its ability to give increased threat prevention, greater operational efficiency, and a unified view of all data. According to Google, it protects data in both the cloud and on-premises.
To protect against threats and fraud, Cloud WAAP combines three products: GCP’s global load balancing architecture includes Google Cloud Armor, a web application firewall with anti-DDoS capabilities. API lifecycle management tools like Apigee API Management are also available, which focus heavily on security. It is also possible to use reCAPTCHA Enterprise, which guards against spam, credential stuffing, and other forms of automated account creation as well as other vulnerabilities that can be exploited by automated bots.
An additional GCP service called Cloud Security Scanner can identify and fix web application vulnerabilities before they can be exploited by criminals.