Amazon, Google and Microsoft continue to pump out features that reinforce their varying perspectives on public cloud security, but they still don’t solve one of the biggest threats to cloud workloads.
The so-called Big Three cloud vendors have added a host of features this year to help users protect their workloads against threats, with slightly different approaches that highlight their products’ maturity and their own technological and cultural pedigrees. But one of the biggest obstacles to lock down workloads on these platforms persists: the customers themselves.
Security remains a top priority as enterprises evaluate a move to the public cloud. There are still scenarios where the cloud is unacceptable, particularly at corporations where data residency and other governmental restrictions are paramount, but by and large security is no longer a reason to reject a move to the cloud. In fact, the security practices and staffing behind these platforms are superior to what enterprises have built internally, according to most industry observers.
Amazon has progressed the farthest to improve security, simply because Amazon Web Services (AWS) was first to market and lacked many of the tools to track and manage resources that are layered on the platform today. Once found mainly in startups, AWS is now commonplace at large enterprises due in no small part to upgrades of its cloud security tools in the 11 years since it began selling storage and compute resources.
Over the years, AWS has added identity and access management, configuration rules and other policy controls that have become common practice in the cloud. Many of its latest security upgrades reflect the platform’s maturity, with incremental improvements such as tighter integration with other AWS tools. Now, Amazon’s latest steps aim to protect customers from their own mistakes.
Cloud security and the user threat
Stories of cloud security woes continue to cascade across the news, with AWS getting the brunt of the attention. In the past year, a cottage industry has emerged to make hay out of customers such as Verizon and Dow Jones & Co. that have left sensitive data held in Amazon Simple Storage Service (S3) buckets exposed over the public internet.
Tim PrendergastCEO and co-founder, Evident.io
These high-profile cases — and many more that fly under the radar — typically result from user error and misconfigured S3 buckets, and there’s not much the cloud vendor can do.
“It’s like leaving your door open, and guess what? Your stuff gets stolen — or, in this case, copied,” said Fernando Montenegro, an analyst at 451 Research.
Amazon, which typically has a laissez faire approach to how users build applications with the tools provided on AWS, has added features that “help customers avoid doing something foolish,” Montenegro said. These include new AWS Config rules so users can flag publicly exposed buckets, email alerts to customers about potential vulnerabilities, and a machine learning-based service called Macie to detect anomalies in customers’ S3 buckets.
Microsoft, Google take different slants with cloud security tools
It’s unclear if AWS is scrutinized for misconfigurations more than the other public cloud platforms simply because of its market clout. What is clear is that Google and Microsoft, which became serious about cloud years after Amazon, have learned and benefited from Amazon’s past mistakes. And both companies’ steps to protect customer data from malicious actors in ways speak to their respective internal cultures.
Microsoft, with its deep ties to the enterprise market, made more security features available on Azure at its earliest stages and made Active Directory a core component of the platform. Google, meanwhile, has played catch-up on cloud security tool parity, as it chases after that same enterprise market.
The push for new cloud security tools and the different approaches indicate that these providers are innovating piece by piece, as they learn more about what attackers are doing to compromise workloads, said Tim Prendergast, CEO and co-founder of Evident.io, a cloud security and compliance company in Pleasanton, Calif.
“What we see happening is kind of three players positioning their unique take on what security means for them and their customers and their assets,” he said.
Microsoft, for example, has a new security model for Azure called confidential computing, which encrypts data not only in transit and at rest — now standard practice among the major cloud providers — but while in use, too.
“It’s an extra level of assurance that your workload is protected from Microsoft itself, and that’s a powerful message if that is part of your threat model,” Montenegro said. “They’re making it harder and harder to have malicious access to your data.”
Google has similar goals, but different means. Continuing on its do-it-yourself hardware history, Google earlier this year built a custom chip called Titan that provides a root of trust for access to cloud infrastructure at the hardware level.
While these are positive steps, they don’t address an increasingly common problem with cloud security that comes back to user diligence — compromised keys, which are the responsibility of the customer of any public cloud platform.
“It’s like you locking your house, but someone makes a copy of your keys,” said Abhi Dugar, an analyst at IDC.” You’re still exposed if you lock the house.”
Enterprises strain security to adapt to a new world
Of course, the vendors are not immune from criticism when it concerns user error. The foundation for the use of these platforms, the shared responsibility model pioneered by AWS, draws a line in the sand with the vendor responsible for the underlying infrastructure and the user responsible for everything on top.
The problem with that model is that enterprise IT must maintain its normal security protocols while it also adapts to a new way to manage workloads on the public cloud, Prendergast said. That’s particularly challenging on a platform such as AWS, with close to 100 different services and thousands of pages of security documentation.
“They’ve already got a busy day job and you’re asking them to learn this new way of doing security and new security controls, and the legacy controls they’re used to don’t work,” he said. “They have to work faster than ever before with no additional people and no additional days.”
That gap between skills and expectations led to many of the high-profile cloud security issues, Prendergast said. And while advanced services such as Macie could benefit enterprises, it’s hard to see that being successful if IT shops can’t get the basics right.
All of these issues will become even more complex when administrators have to manage security postures across multiple clouds, which is where the market is largely headed. For example, if an enterprise has most of its cloud assets on AWS, problems can arise when a line of business says it wants to go to Google Cloud Platform to do machine learning with TensorFlow.
“The security team will say, ‘I don’t understand their security interface,'” Dugar said. “So you have to go hire someone just to understand that, and there’s a skills gap that needs to be addressed.”
Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at firstname.lastname@example.org.