One of the biggest considerations companies face when choosing a public cloud service provider is the level of cybersecurity they offer. That is, the features and features we have introduced to protect our networks and services and protect our customers’ data from breaches and other attacks. ..
Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure each take security seriously for obvious reasons. When one of the most well-known security breaches blames services, it can scare countless potential customers, cost millions of dollars, and lead to regulatory compliance penalties.
The three major cloud providers in the four key areas of cybersecurity offer:
Network and infrastructure security
Amazon web services
AWS offers several security features and services designed to enhance privacy and control network access. This includes a network firewall that allows customers to create private networks and control access to instances or applications. Enterprises can control the encryption in transit between AWS services.
It also includes a connection option that allows for a private or private connection. Decentralized denial of service mitigation technology that can be applied as part of application and content delivery strategies. Automatic encryption of all traffic on AWS global and regional networks between AWS-protected facilities.
Google Cloud Platform
The company designs and implements security-specific hardware, such as Titan, a custom security chip that GCP uses to establish a trust route for hardware to servers and peripherals. Google is building its own network hardware to improve security. All of this is built into the design of a data center that includes multiple layers of physical and logical protection.
On the network side, GCP continues to design and evolve its global network infrastructure to support cloud services to withstand attacks such as distributed denial of service (DDoS) and protect services and customers. In 2017, the infrastructure absorbed 2.5 Tbps of DDoS. This is the highest bandwidth attack ever reported.
GCP provides network security features that customers can choose to deploy, in addition to the built-in capabilities of their global network infrastructure. This includes Cloud Armor, a network security service that provides cloud load balancing and protection against DDoS and application attacks.
Google employs several security measures to ensure the reliability, integrity, and privacy of the data in transit. Encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google.
Microsoft Azure
Microsoft Azure runs in a data center managed and operated by Microsoft. According to the company, these geographically dispersed data centers comply with key industry standards for security and reliability. The data center is managed, monitored, and managed by Microsoft operations staff with many years of experience.
Microsoft also conducts operations personnel background checks and limits access to applications, systems, and network infrastructure in proportion to the level of background checks.
Azure Firewall is a managed cloud-based network security service that protects your Azure virtual network resources. It is a complete stateful firewall as a service with built-in high availability and unlimited scalability. Azure Firewall can decrypt outbound traffic, perform the necessary security checks, and then re-encrypt the traffic before forwarding it to its destination. Administrators can allow or deny user access to website categories such as gambling and social media.
ID and access control
Amazon web services
AWS provides the ability to define, enforce, and manage user access policies across AWS services. This includes AWS Identity and Access Management (IAM), which allows companies to define individual user accounts with permissions across AWS resources, and AWS multi-privileged accounts, including software-based and hardware-based authenticator options. Includes element authentication. AWS IAM can be used to grant federated access to the AWS Management Console and AWS Services APIs for employees and applications using existing identity systems such as Microsoft Active Directory and other partner offerings.
AWS is the AWS Directory Service, which allows organizations to integrate and integrate with corporate directories to reduce administrative overhead and improve the end-user experience, and AWS Single Sign-On (SSO), which allows organizations to manage all user access and user privileges. Also provide. AWS account.
Google Cloud Platform
Google’s Cloud Identity and Access Management provides several ways to manage your identity and roles on Google Cloud. First, with Cloud IAM, administrators approve who can take action on a particular resource, giving them complete control and visibility for centralized management of GCP resources. In addition, for companies with complex organizational structures, hundreds of workgroups, and many projects, Cloud IAM uses built-in audits to facilitate the compliance process to unify security policies across the organization. Provides a view.
You can also use Cloud Identity, an IDaaS offering as a service that centrally manages users and groups. Enterprises can configure Cloud Identity to federate their identities between Google and other identity providers. GCP also provides a Titan security key that cryptographically proves that you are interacting with a legitimate service (that is, the service that registered your security key) and that you own the security key.
Finally, Cloud Resource Manager provides resource containers for organizations, folders, projects, and more. This allows organizations to group GCP resources and organize them hierarchically.
Microsoft Azure
Azure Active Directory (Azure AD) is an enterprise identity service that provides single sign-on, multi-factor authentication, and conditional access to Azure services, corporate networks, on-premises resources, and thousands of SaaS applications. With Azure AD, organizations can protect their identities with secure adaptive access, simplify access and streamline control with integrated identity management, and ensure compliance with simplified identity governance. Microsoft says it helps protect users from 99.9% of cybersecurity attacks.
Data protection and encryption
Amazon web services
AWS provides the ability to add a layer of security to your data stored in the cloud. It provides scalable encryption capabilities, including stored data encryption, with most AWS services such as Amazon EBS, Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon SageMaker.
Flexible key management options are also available, including AWS Key Management Service. This allows companies to choose between having AWS manage their encryption keys or having full control over their keys. Dedicated hardware-based cryptographic key storage with AWS CloudHSM. An encrypted message queue for sending sensitive data using Amazon SQS server-side encryption (SSE).
Google Cloud Platform
Google offers confidential computing called “breakthrough” technology that encrypts the data in use. That is, the data is being processed. In a sensitive computing environment, data is encrypted in memory or outside the central processing unit.
The first product in the Confidential Computing portfolio is the Confidential VM. Google is already using various isolation and sandbox technologies as part of its cloud infrastructure to secure its multi-tenant architecture. Sensitive VMs take this to the next level by providing memory encryption, allowing users to further isolate their workloads in the cloud.
Another offering, Cloud External Key Manager (Cloud EKM), allows organizations to protect their data in Google Cloud Platform with keys managed within supported foreign key management partners. Enterprises can maintain the source of keys for third-party keys while controlling key creation, location, and distribution. You also have full control over who has access to your keys.
Microsoft Azure
Azure Key Vault helps protect the encryption keys and secrets used by cloud applications and services. Azure Key Vault is designed to streamline the key management process and give enterprises control over the keys that access and encrypt their data. Developers can create development and test keys in minutes and move them to production keys. The security administrator can grant and revoke permissions on the key as needed.
Microsoft Information Protection and Microsoft Information Governance help you protect and manage your data in Microsoft 365. Microsoft Information Protection extends data loss protection to all Microsoft 365 applications and services, as well as Windows 10 and Edge. Azure Purview helps organizations understand where structured data is, and can better protect and manage that data.
Application security
Amazon web services
AWS Shield is a managed DDoS protection service that protects applications running in the Amazon cloud. AWS Shield provides always-on detection and automatic inline mitigation designed to minimize application downtime and latency. AWS Shield has two layers: Standard and Advanced.
All AWS customers are entitled to the automatic protection of AWS Shield Standard. The company states that it protects against the most common network and transport layer DDoS attacks targeting websites or applications. With Shield Standard on Amazon CloudFront and Amazon Route 53, customers receive comprehensive protection against all known infrastructure attacks.
For a higher level of protection against attacks targeting applications running on Amazon EC2, Elastic Load Balancing, Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, companies can choose AWS Shield Advanced. In addition to the network and transport layer protection that comes with Shield Standard, Shield Advanced provides additional detection and mitigation for large and advanced DDoS attacks, near real-time visibility into attacks, and a cloud provider’s web application firewall. Provides integration with a certain AWS WAF. ..
Google Cloud Platform
Google Cloud Web App and API Protection (WAAP) provides comprehensive threat protection for web applications and APIs. Cloud WAAP is based on the same technology that Google uses to protect its published services from web application exploits, DDoS attacks, malicious bot activity, and API-targeted threats.
Cloud WAAP represents the transition from siled application protection to integrated application protection, designed to improve threat protection, increase operational efficiency, and integrate visibility and telemetry. You can also protect your entire cloud or on-premises environment, Google says.
Cloud WAAP combines three products to provide comprehensive protection against threats and fraud. One is Google Cloud Armor. It is part of GCP’s global load balancing infrastructure and provides web application firewall and anti-DDoS capabilities. The other is Apigee API Management, which provides security-focused API lifecycle management capabilities. The third is reCaptcha Enterprise, which provides protection from fraud, spam, and credential stuffing, automatic account creation, and exploits from automatic bots.
Another GCP offering, Cloud Security Scanner, scans for insights into vulnerabilities and web application vulnerabilities, allowing companies to take action before malicious attackers exploit them.
[ Read next: AWS, Google Cloud, and Azure: How their security features compare ]
Microsoft Azure
Microsoft Cloud App Security is a cloud app security broker that combines multifunctional visibility, data movement control, user activity monitoring, and advanced analytics to allow customers to pose cyber threats with all Microsoft and third-party cloud services. You can identify and deal with it. Designed for information security professionals, Cloud App Security is natively integrated with security and identity tools such as Azure Active Directory, Microsoft Intune, and Microsoft Information Protection, and various deployment modes such as log collection, API connector, and reverse proxy. Supports.
Gloss