A year passed since our last survey and a number of new players have become more dominant in the IaaS market; therefore, we have revisited our comparison of the leading Cloud Service Providers (CSPs) security offerings. We will examine the native public cloud IaaS offerings by the leading cloud service providers: Amazon (AWS), Azure, Google (GCP), IBM Cloud and Rackspace, focusing on data and network security as well as identity and access management.
It is important to note, that although the completeness of security offering is an important attribute in selecting your cloud provider, other attributes like, maturity, service coverage and level of support are also important factors in such a decision. This post does not consider the latter factors.
A second note is that the following comparison only takes into account the security features that are native to the public cloud IaaS offering. In some cases, the missing security features can be supplemented with add-on (paid) services available in their marketplaces through partners, and sometimes using the managed services offering.
Our state-of-the-industry public IaaS security research examines the following features:
- Shared Cloud Network: public IaaS environment where different cloud customers share the same cloud service subnet. In this model, each cloud server (VM) usually has a public IP address (permanent or temporary) as well as service IP address for the internal cloud service network
- Virtual Private Cloud (VPC) Network: the IaaS provider supports an isolation of customers’ cloud deployments, such that a customer can have a private subnet that is not reachable from other customers’ cloud servers or from the public Internet
- Firewall: Collection of policies and rules to control the traffic allowed to and from a group of cloud servers or static IP Addresses
- Identity-based access management: these are firewall rules based on user identity, allowing access of specific users to specific set of compute resources
- Secure extension: ability to securely connect enterprise sites to the cloud deployment (usually a virtual private network) via static IPSec connections
- Secure remote access to individual server: the ability to access an individual machine (VM) using a secure protocol (like SSH or RDP); this type of remote access is usually based on credentials that are specific to a single user and a single server
- Remote VPN access: the ability of the organization’s employees to securely connect on demand to the cloud deployment remotely using VPN clients; this includes central authentication of the employees’ identity prior to gaining access to the cloud deployment (part or all of cloud servers)
The Comparison Table
Shared and Isolated Cloud Networks
The Shared Cloud Network is the least secure public IaaS option. Sharing the same network puts tenants at additional risk, since access to their compute resources could be obtained from within the Cloud data center.
A virtual private cloud network is an isolated network with a private IP subnet and a Layer 2 separation construct, such as VLAN. This prevents any intra-datacenter communication between different organizations (cloud customers), reducing the additional risk of shared networks.
- AWS EC2 Classic is a shared cloud network; however, Amazon is phasing out their EC2 Classic and is now using VPCs as the default for any new EC2 environments; recently AWS introduced their Classic VPC Link feature, which connects individual EC2-Classic machines to a VPC environment, as a way to facilitate the migration from classic EC2 to AWS VPC
- Azure only offers virtual private networks
- Google’s public IaaS offering (GCP) does not have a shared cloud network, but provides a cloud virtual private network as the default (and only) option; a unique attribute of the GCP implementation is that a customer’s virtual private cloud network can extend over several geographically distributed data-centers
- IBM Cloud only offers private networks (associated with VLANs)
- Rackspace provides a shared environment through their “Service Network” compute service, and their isolated cloud network service is called “Cloud Networks”
- AWS cloud uses their `Security Groups’ feature to control firewall configurations, which configures firewall rules per groups of cloud servers (instances)
- Azure provides “Network Endpoints” as a way to filter (and map) traffic arriving from the public internet to specific hosts inside the Azure deployment; note that unlike AWS and GCP, this firewall cannot control internal traffic (between servers inside the private subnet) and it doesn’t provide any grouping (rules are based on individual hosts, i.e. endpoints)
- GCP offers their flexible firewall rule management using Tags, similar to the AWS security groups
- IBM Cloud and Rackspace do not currently offer this capability
Secure Extension Using IPSec
- AWS enables connection of the enterprise data-center to an AWS VPC using IPSec; this service is called Virtual Private Gateway (VPG)
- Azure provides VPN gateway capabilities
- Google’s static IPSec service is currently in Beta
- IBM and Rackspace don’t offer this service at the moment as part of the public cloud offering
Remote Access to Individual Servers
All providers enable remote secure access to individual cloud servers using SSH and RDP (for Linux and windows VMs respectively). Google offers a customized browser-based SSH access with SSO based on Google account ID.
VPN Access and Identity-based Access Management
User VPN access is usually the basis for centrally authenticating remote users, associating their identity with an unknown IP addresses and enforcing identity based access rights.
At this point, only Azure provides dynamic client-based VPN access to the cloud. However, at the moment, Azure doesn’t support identity-based access (firewall) rules. All other CSPs do not support identity-based access management to the cloud deployment.
Note that several CSPs do offer central-identity-based access to the service management console and APIs, but not to the cloud servers themselves.
New players and changes in the cloud offerings have shifted the cloud provider landscape. As the cloud market continues to grow, attracting more competitors, global outreach and instigating price wars, more disruptions are sure to follow. However, none of the leaders’ native public cloud offerings has shown significant advancement in security in the past year. The cloud Shared Responsibility model for security, adopted by these leading CSPs, may be the reason for this lack of ‘breakthroughs’ in IaaS security.
Currently, organizations that require a complete enterprise-grade security solution, let alone a specific compliance such as HIPAA, need to complement the missing security features using solutions from third party vendors (ISVs). The marketplaces of the CSPs discussed above are a good place to locate these add-on solutions.