- Hello, Cloud Gurus. Riaan Lowe here, and welcome
to Cloud Provider Comparisons. In this series we take a look
at the same cloud services across different cloud providers. We'll look at the
similarities, the differences, and anything else that
might be interesting. So, we all have heard
the term cloud computing and hosting resources in the cloud, but recently, with all of the
security breaches happening around the world, there
is a strong focus on securing resources in the cloud. In this episode, we'll explore
security offerings from AWS, Azure and Google Cloud. (energetic music) - So, cloud security is
actually a combination of security controls and settings, and not just a single setting or checkbox. There is often confusion
around cloud security and that's because
organizations don't always know what they are responsible for. What's even worse, is that
some organizations think that the cloud platforms are responsible for anything security related
and that's a big problem because it's definitely not the case. In order to better
understand who is responsible for security in the cloud,
we need to reference something called the shared
responsibility model. (energetic music) - So in a nutshell, the
shared responsibility model is a framework that helps differentiate when the cloud provider is
accountable for security and when your organization
is accountable for security, based on what is deployed in the cloud. Now, let's take a look at the
three cloud platforms approach to the shared responsibility model. Let's start with Azure. Azure splits responsibility
into three main categories. The first, the customer
is always responsible. This is relevant to
information, data and devices such as mobile and PCs,
as well as user accounts, which is also called identities. The second category is
less black and white and more of a gray area, as this differs based on the cloud model used, such as software as a service, or SaaS, platform as a service, or PaaS, or infrastructure as a service, or IaaS. Lastly, we have the category called cloud provider responsibility. This is when the cloud
provider is solely responsible for security, whether the
service is SaaS, PaaS or IaaS. An example of this would be
the physical infrastructure in the data centers
hosting these services. AWS has taken a more simplistic approach to the shared responsibility model and split it into two sections. The first, customers are responsible
for security in the cloud. Users are responsible for
their own data, user accounts, applications and so forth. AWS is responsible for
security of the cloud and this includes underlying hardware within the data centers
such as physical hosts, storage and networking. Google's approach to the
shared responsibility model is a bit more complex as
they specify in detail, in each instance, who is
responsible for security. We'll be sure to leave a
link in the description if you want to take a look. But in general, all three cloud providers follow the same principles
for shared responsibility, they just have slightly
different approaches. (melodious music) - As we just saw under the different shared
responsibility models, organizations are responsible
for user accounts. This forms part of what is called identity and access
management, or IAM for short. IAM is a term used for
defining user access with a privileged role, also known as role-based access control. Let's take a look at what
options are available across Google Cloud
Platform, AWS and Azure. There are some shared
user and IAM features found across all three platforms, including multifactor
authentication, also known as MFA, single sign-on, also known as SSO, built-in role-based access
control, also known as RBAC, and custom role-based access control. One key difference though,
across the platforms, is privileged access management, or PAM, which is used to manage
privileged accounts for users or resources deployed based
on IaaS, PaaS or SaaS. Azure offers a service called Privileged Identity Management, which includes just-in-time
privilege access to Azure AD and Azure Resources. AWS and GCP don't have a
built-in feature to address PAM, however, you are able to
deploy a third-party solution to address this via the Marketplace. (melodious music) - Let's go ahead and compare some of the IAAS workload security
solutions each platform offers. In terms of distributed
denial of service protection, Azure calls their
offering, unsurprisingly, DDOS Protection. AWS has Shield and GCP has Google Cloud Armor. In terms of features
they all, in principle, do a similar thing. When it comes to secrets management, Azure has a service called Key Vault which is used to store secrets
like passwords and keys, and it also supports
storing of certificates. AWS calls their offering Secrets Manager, it is used for storing secrets only, although it also provides a mechanism for storing certificates. GCP Secrets Manager works the
same as the other platforms and provides the functionality
to store passwords and certificates. For virtual private networking, AWS VPN supports point-to-site
and site-to-site options with a site-to-site connection
limit of 10 connections for a VPN gateway. Azure VPN gateway supports point-to-site and site-to-site VPNs with
a limitation of a maximum of 30 site-to-site
connections per VPN gateway. Google Cloud VPN only supports
site-to-site VPN connections and does not currently support
point-to-site connections. (melodious music) - Next up, let's have a look
at how the platforms approach platform as a service, or PaaS, security. Let's focus on securing data as this hosts important organizational
or customer information, which is one of the
main goals for hackers. All three cloud platforms
support the following security controls from a
database point of view. Identity and access management
policies, or IAM policies, firewall rules which
includes IP whitelisting, this is where organizations
can expose databases through the internet, but only allow the organizations public IP
address to connect to it, encryption in transit, or TLS, this specifies if the database
supports secure connections to it, encryption at rest, or TDE, this specifies if the database
supports encryption address by means of hard drive level encryption. (melodious music) - Most organizations
have to comply to a set of security standards
and the same rules apply for cloud workloads. Let's take a moment to understand
how the cloud platforms help organizations meet
cloud security compliance. Azure has the Azure Security Center, GCP has the Trust and Security Center and AWS calls their
security assessment service, Amazon Inspector. Compliance tools on all
three cloud platforms support the most compliance
standards such as ISO 27001, PCI, DSS and many more. These tools have the capability to audit the resources deployed and advice on security best practices to ensure your environment is secure and you have not missed anything major from a security or
configuration point of view. (melodious music) - Lastly, it's worth mentioning
that each cloud platform offers a marketplace where
customers can make use of third-party vendor applications to meet specific security requirements. AWS and Azure is leading the way on this with GCP trying to catch up. So at the end of the day, when you choose a cloud provider there are multiple
security decisions to make alongside other considerations such as pricing, hybrid identities and skills to support your solutions. If you want to learn more, have a look at A Cloud Guru's
courses in cloud security for a more in-depth breakdown
and hands-on approach. Thanks for watching, stay safe and keep being awesome, Cloud Gurus. (melodious music)
