2. Introduction
Relying on someone else, such as a cloud service provider (CSP), to store and process
data requires trust and a willingness to give up control,that’s why cloud providers are
always focusing on security but which cloud providers would be the best ?
There are several ways to analyse the public cloud providers, but by any measure, the
three leading public cloud providers that dominate the word wide cloud market are
AWS,Microsoft Azure and GCP. But first let’s discover what is a public cloud provider
A Public cloud provider is the service provider where the cloud service is made public
through internet so that the users can use the storage or applications or varied capacities
of the providers to scale the resources and to share it among the peers in the same
organization.
3. Secure Authentication
In order to allow
someone to access
cloud resources,
you need to ensure
that the user trying
to authenticate is
who they claim to
be.
Authentication
should be
implemented using
technologies like
Single Sign-On
(SSO) and Multi-
Factor
Authentication
(MFA) to increase
security.
AWS provides the cloud user with
secure authentication options
along with AWS Command-line
interface and Multifactor
authentication for cloud
applications (AWS Cognito)
Azure provides Azure Active Directory, which
has both single sign-on and multifactor
authentication capability.
Google Cloud platform has enterprise grade Identity platform,
which is used for secure access to the application and Google Cloud.
4. User Accounts Management
AWS IAM Cloud IAM Azure Active Directory
User management describes the ability for
administrators to manage user access to various IT
resources like systems, devices, applications, storage
systems, networks, SaaS services, and more
Every user application needs to have a IAM credentials,
using this credentials it can sign a request to the data base
service and if it has the appropriate permission to perform
particular action on a particular resource, the app will be
able the get the response from the data base otherwise it
will get an error.
5. Role-based access control (RBAC) is a method of restricting network access based on the roles of
individual users within the cloud.
Amazon Cognito identity
pools assign your
authenticated users a set of
temporary, limited-privilege
credentials to access your
AWS resources.
Azure role-based access
control is an authorization
system built on Azure
Resource Manager that
provides fine-grained access
management of Azure
resources.
Kubernetes includes a built-in
role-based access control
(RBAC) mechanism that enables
you to configure fine-grained
and specific sets of permissions
that define how a given Google
Cloud user, can interact with any
Kubernetes object in your cluster
6. Emergency Access
This feature comes under the domain of cloud users
and is widely used in risk management operations of
an organization.
Azure Active Directory
enterprise-grade Identity platform
Emergency access capabilities (Firecall
IDs)
Management reviews the emergency access reports
periodically to ensure that there is not any abuse or
deviation from the standard provisions provided with
the emergency access.
During emergencies and the incidents, the users
need to have access to the production level systems
with elevated privileges in order to identify the root
cause of the issue and resolve issue.
7. Separation of duties
is the concept of ensuring
that one individual does
not have all necessary
permissions to be able to
complete a malicious
action.
AWS provides the cloud users with fine-grained access
control capabilities where customers can create users’ roles
that are aligned with the Separation of duties principle.
Azure provides Azure Active
Directory, which has the ability to
define roles that are segregated and
are based on the Separation of duties.
In Google Cloud, separation of duties is accomplished by assigning IAM roles to accounts in
different projects. These accounts include service accounts, used by GKE and Binary
Authorization, and user accounts, accessed by people.
8. Secure User Provisioning and
De-provisioning
User provisioning and deprovisioning involves
the process of creating, updating and deleting
user accounts in multiple applications and
systems. This access management practice
can sometimes include associated
information, such as user entitlements, group
memberships and even the groups
themselves.
AWS IAM Azure Active Directory automated user provisioning
9. ERP (Enterprise Resource Planning) Security is the practice of taking effective
security measures to prevent any infiltration inside of your ERP systems.
AWS provides the
cloud user with
Account security
by providing AWS
Account Security
Features, which
provides users
with AWS
credentials, AWS
MFA (Multi Factor
Authentication),
Access Keys and
Key Pairs.
Azure provides
Azure Security
Center, which
provides cloud
customers with
tools and
resources to
secure and also
monitor the
accounts.
Google provides cloud customers with the Cloud Identity tool, which
provides capabilities to manage user identities, devices, and applications.
Cloud Identity provides the account security features
10. Secure landscape
AWS Account Security
Features
Azure Security Center
Cloud Identity tool
Securing landscape focuses on secure settings,
Separating the interfaces and access layers. These
secure practices could define the integrity of security
in production environments. This control focuses on
mechanisms that prevent unauthorized access risk
and ensure entitlements are clearly defined.
11. Secure Baseline Configuration
A fully documented set of
agreed security
configurations to enable
the secure by default
deployment of particular
infrastructure
components, operating
system, middleware
component or
application.
AWS provides the cloud user with
baseline security configurations by
providing AWS Account Security
Features, which provides users with
AWS credentials, AWS MFA, Access
Keys, Key Pairs, X.509 Certificates
Azure provides Azure Security
Center, which provides cloud
customers with tools and
resources to secure the accounts
and also monitor the accounts
Google provides
cloud customers
with the Cloud
Identity tool, which
provides
capabilities to
manage user
identities, devices,
and applications.
Cloud Identity
provides the
account security
features
12. Amazon Inspector Microsoft defender
Automatic vulnerability scanner
Security Vulnerabilities
It assists the organization to detect secret
vulnerabilities and risks that impact the applications.
These vulnerabilities need to be documented with
an impact risk and priority so that the mitigation
activities for these vulnerabilities are in top priority of
the organization.
It is possible to maintain this control with a
vulnerability assessment process and
administrators who remediate the vulnerabilities
in a timely manner. The main difference in this
comes with software as a service model where
the responsibility falls under cloud service
provider
13. Secure Communication
Cloud
communications
are internet-based
voice and data
communications
tools for
businesses to
manage
applications,
storage, and
switching—all
hosted by a third
party on the cloud
AWS provides the cloud user with Amazon
secure configuration tools and KMS, which
adds VPN and encryption to enable secure
data communications.
Azure provides cloud users with an Azure
security center and secure
communication protocols, which is
helpful in providing secure
communications.
Google
provides secure
communication
by providing
transfer layer
security and
encrypted
connection
options to
Google Cloud
systems.
14. This control focuses on the change management process
that the organization is using to implement the changes
within the cloud environment. As the cloud is highly
scalable and dynamic, the change management process
would be defined with proper controls and approvals
processes.
This will ensure that there is least disruption to the
organizational, operational activities. This control also
ensures prevention of misconfiguration in cloud systems.
Change Management Control
GAPPS change management several tools Azure Change Tracking & Inventory,project
&change management service
15. This focus on securing the
extensions of the application as
many of these applications are
expanded to support multiple
organizational vendors and
processes which might introduce
additional risk for the organization.
Secure Extensions
AWS provides AWS Lambda Extensions,
which helps users with connecting and
securing extensions between different cloud
and hybrid systems.
Azure provides cloud users with Azure
Virtual Machine Extension, which helps
users with connecting and securing
extensions between different cloud and
hybrid systems.
Google provides
Google Cloud
extensions.
This is an extension
tool to support
extensions.
16. Secure Integrations and APIs
secure integration and APIs control is focused on the integration of
applications with external applications and data locations.
Businesses need to document all the interfaces and the data
contracts, the technical details of the collection’s types, protocols,
authorizations, and the encryption details of these interfaces.
This feature focuses on encrypting all the interfaces which use
critical data and also ensures that there are no interfaces that are
connecting the cloud system with a lower security application.
AWS api. Azure api. Google cloud api
17. NIST defines Continuous Monitoring (CM) as the ability to maintain ongoing awareness of
information security, vulnerabilities, and threats to facilitate risk-based decision making
AWS provides Cloud watch which collect monitoring and operational data and visualize it using
automated dashboards so you can get a unified view of your AWS resources and applications, it
also provides Amazon Guard Duty which is a threat detection service that continuously monitors
for malicious activity and unauthorized behaviour to protect your AWS accounts and work loads.
Azure provides
Azure security
monitor, which is
the unified
monitoring solution
in Azure that
provides full-stack
observability across
applications and
infrastructure in the
cloud and on-
premises.
Google Cloud
managed
Services for
Prometheus uses
Cloud Monitoring
storage for
externally
created metric
data and uses
the Monitoring
APIs to retrieve
that data.
18. Data separation falls under the domain cloud data, ensures
that data is stored separately in the cloud systems.
Data Separation
AWS KMS Policies
BigQuery
logical isolation
And it needs to be classified on priority, and sensitivity
and regulations like some data have additional regulations
like personally identifiable informations.
19. Cloud encryption is the
process of encoding or
transforming data before
it's transferred to cloud
storage
AWS provides multiple
encryption tools for AWS
CloudHSM, AWS Key
Management Service
(KMS), AWS Encryption
SDK, Amazon DynamoDB
Encryption client AWS
Secrets Manager.
Azure offers Azure Storage Service Encryption which automatically encrypt data
before it is stored, and it automatically decrypts the data when you retrieve it.
Google uses the Advanced Encryption Standard (AES) algorithm
to encrypt data at rest. Cloud Storage always encrypts your data on
the server side, before it is written to disk, at no additional charge.
20. Inventory of Business Assets
AWS Systems Manager Inventory Inventory and Asset Management cloud asset Inventory
is a technology that allows you to access a database of
all your company's assets from anywhere.Also you can
view your inventory remotely and upload data about it to
the cloud.
All the technical components and applications on the
servers that host these applications infrastructure like
physical servers, virtual servers, physical database,
virtual database, applications that execute this data,
stored data, and classified data. This provides the
organization an actual view of business assets and how
they’re managing them and also assist in the change
management process.
21. The business process control focuses on the critical operational process within the
organization. This ensures that no unauthorized entity has access to business-critical
applications
AWS provides
Amazon Inspector (
automated security
assessment service
that helps improves
the security and
compliance of
applications deployed
on AWS ).
Azure use Azure
Active Directory to
control business
process.
Google provides VPC Service Controls allow customers to address threats such as
data theft, accidental data loss, and excessive access to data stored in Google Cloud
multi-tenant services. It enables clients to tightly control what entities can access what
services in order to reduce both intentional and unintentional losses.
22. Continuous compliance
Is about developing a strategy within the
organization to ensure that all the
applications that the organization uses are
in compliance with the industry
requirements and various frameworks and
also ensure that the organization practices
to identify regulations and the controls to
be implemented.
23. Cloud service providers are adding new services to attract more cloud users. After mapping
the cloud services with security controls, we can observe that all three providers have
services that support cloud security controls.
CONCLUSION
After reviewing the documentation for the services, this presentation
provides a high-level overview for the cloud user on the security controls.
They can review cloud security controls and
what corresponding services that can
implement those controls.