Blog

Home / AWS / IaaS Security State of the Industry – Comparing IaaS Providers

IaaS Security State of the Industry – Comparing IaaS Providers

4

A year passed since our last survey and a number of new players have become more dominant in the IaaS market; therefore, we have revisited our comparison of the leading Cloud Service Providers (CSPs) security offerings. We will examine the native public cloud IaaS offerings by the leading cloud service providers: Amazon (AWS), Azure, Google (GCP), IBM Cloud and Rackspace, focusing on data and network security as well as identity and access management.

It is important to note, that although the completeness of security offering is an important attribute in selecting your cloud provider, other attributes like, maturity, service coverage and level of support are also important factors in such a decision. This post does not consider the latter factors.

A second note is that the following comparison only takes into account the security features that are native to the public cloud IaaS offering. In some cases, the missing security features can be supplemented with add-on (paid) services available in their marketplaces through partners, and sometimes using the managed services offering.

Our state-of-the-industry public IaaS security research examines the following features:

  • Shared Cloud Network: public IaaS environment where different cloud customers share the same cloud service subnet. In this model, each cloud server (VM) usually has a public IP address (permanent or temporary) as well as service IP address for the internal cloud service network
  • Virtual Private Cloud (VPC) Network: the IaaS provider supports an isolation of customers’ cloud deployments, such that a customer can have a private subnet that is not reachable from other customers’ cloud servers or from the public Internet
  • Firewall: Collection of policies and rules to control the traffic allowed to and from a group of cloud servers or static IP Addresses
  • Identity-based access management: these are firewall rules based on user identity, allowing access of specific users to specific set of compute resources
  • Secure extension: ability to securely connect enterprise sites to the cloud deployment (usually a virtual private network) via static IPSec connections
  • Secure remote access to individual server: the ability to access an individual machine (VM) using a secure protocol (like SSH or RDP); this type of remote access is usually based on credentials that are specific to a single user and a single server
  • Remote VPN access: the ability of the organization’s employees to securely connect on demand to the cloud deployment remotely using VPN clients; this includes central authentication of the employees’ identity prior to gaining access to the cloud deployment (part or all of cloud servers)

The Comparison Table

Table with User based VPN

 

 

Shared and Isolated Cloud Networks

The Shared Cloud Network is the least secure public IaaS option. Sharing the same network puts tenants at additional risk, since access to their compute resources could be obtained from within the Cloud data center.

A virtual private cloud network is an isolated network with a private IP subnet and a Layer 2 separation construct, such as VLAN. This prevents any intra-datacenter communication between different organizations (cloud customers), reducing the additional risk of shared networks.

  • AWS EC2 Classic is a shared cloud network; however, Amazon is phasing out their EC2 Classic and is now using VPCs as the default for any new EC2 environments; recently AWS introduced their Classic VPC Link feature, which connects individual EC2-Classic machines to a VPC environment, as a way to facilitate the migration from classic EC2 to AWS VPC
  • Azure only offers virtual private networks
  • Google’s public IaaS offering (GCP) does not have a shared cloud network, but provides a cloud virtual private network as the default (and only) option; a unique attribute of the GCP implementation is that a customer’s virtual private cloud network can extend over several geographically distributed data-centers
  • IBM Cloud only offers private networks (associated with VLANs)
  • Rackspace provides a shared environment through their “Service Network” compute service, and their isolated cloud network service is called “Cloud Networks”

 Firewall

  • AWS cloud uses their `Security Groups’ feature to control firewall configurations, which configures firewall rules per groups of cloud servers (instances)
  • Azure provides “Network Endpoints” as a way to filter (and map) traffic arriving from the public internet to specific hosts inside the Azure deployment; note that unlike AWS and GCP, this firewall cannot control internal traffic (between servers inside the private subnet) and it doesn’t provide any grouping (rules are based on individual hosts, i.e. endpoints)
  • GCP offers their flexible firewall rule management using Tags, similar to the AWS security groups
  • IBM Cloud and Rackspace do not currently offer this capability

 Secure Extension Using IPSec

  • AWS enables connection of the enterprise data-center to an AWS VPC using IPSec; this service is called Virtual Private Gateway (VPG)
  • Azure provides VPN gateway capabilities
  • Google’s static IPSec service is currently in Beta
  • IBM and Rackspace don’t offer this service at the moment as part of the public cloud offering

Remote Access to Individual Servers 

All providers enable remote secure access to individual cloud servers using SSH and RDP (for Linux and windows VMs respectively). Google offers a customized browser-based SSH access with SSO based on Google account ID.

VPN Access and Identity-based Access Management

User VPN access is usually the basis for centrally authenticating remote users, associating their identity with an unknown IP addresses and enforcing identity based access rights.

At this point, only Azure provides dynamic client-based VPN access to the cloud. However, at the moment, Azure doesn’t support identity-based access (firewall) rules. All other CSPs do not support identity-based access management to the cloud deployment.

Note that several CSPs do offer central-identity-based access to the service management console and APIs, but not to the cloud servers themselves.

Summary

New players and changes in the cloud offerings have shifted the cloud provider landscape. As the cloud market continues to grow, attracting more competitors, global outreach and instigating price wars, more disruptions are sure to follow. However, none of the leaders’ native public cloud offerings has shown significant advancement in security in the past year. The cloud Shared Responsibility model for security, adopted by these leading CSPs, may be the reason for this lack of ‘breakthroughs’ in IaaS security.

Currently, organizations that require a complete enterprise-grade security solution, let alone a specific compliance such as HIPAA, need to complement the missing security features using solutions from third party vendors (ISVs). The marketplaces of the CSPs discussed above are a good place to locate these add-on solutions.

Subscribe to newsletter

Recommended Posts

Showing 4 comments

  • David
    Reply

    Hey, I think that Google Compute Engine supports VPN : https://developers.google.com/compute/docs/networking#settingupvpn

    • 40Cloud
      Reply

      Hi David,
      Many thanks for your comment.

      Our post covers functionality that is provided as an integral part of the CSP offering. By ‘integral’ we mean that you can launch the complete functionality using the CSP service GUI or API (i.e. the same way you launch a new VM).
      To the best of our knowledge, you cannot launch any such VPN functionality on GCE. The link that you provided is to a DIY guide. Other CSPs (like AWS) provide similar DIY guides for VPN functionality. Up-to-date DIY guides for different VPN functions on different clouds can be also found on our website here and here as well as on some other sites.

      Thanks,
      40Cloud Team

pingbacks / trackbacks

  • […] The shared responsibility model states that it is the responsibility of both the cloud provider and the business customer, with a clearly defined demarcation, to ensure that your cloud deployment is properly secured.  Specifically, it is the responsibility of the cloud business customers to secure all operating systems and applications that they use over the cloud provider’s infrastructure. While some cloud infrastructure providers (i.e.: Amazon, Google, and Rackspace) have tightened up security where they could, it has also opened new opportunities for hackers. Take for example, the 2011 Sony PlayStation attack in which 77 million accounts were compromised. The hackers were using cloud instances to launch the attack. The fact is, if a business has not established proper security infrastructure safeguards, their cloud deployment is susceptible to any number of threats. Furthermore, there seems to be a broad misconception that must be dispelled; security provisions offered by cloud providers are rarely enough to protect your organization! […]

  • […] To view the results of 40Cloud’s research in their entirety, read their blog post here. […]

Free Trial

Request a Demo