Cloud Infrastructure

08:00 AM
Anna Andreeva
Anna Andreeva
Commentary
50%
50%

Cloud Storage Security: AWS Vs. Azure

Security remains the biggest concern facing cloud storage adoption. Here we look at the security details of Amazon Web Services and Microsoft Azure, two cloud storage heavyweights.

Cloud-based storage grows more popular every day, for good reason. Cloud storage allows users to get fast access to all the data they need to perform their jobs from virtually any location. In addition, developing web applications for the cloud isn't that different from applications written for a conventional computer, so the number of applications is increasing.

However, let's put the convenience of the cloud aside for a moment and consider the biggest drawback of cloud services in general: security. How safe is the transmission of data from client to cloud storage and back? Below is a detailed security comparison between Amazon Web Services (AWS) and Windows Azure, two of the leading cloud infrastructure providers.

Amazon Web Services
AWS EC2 is perhaps the most well known provider of cloud infrastructure. When customers entrust their data to Amazon, they receive:

Multilevel security. Security mechanisms are implemented at several levels -- for host operating systems, virtual instances, and virtual guest OS, as well as firewalls and API calls.

Hypervisor. Amazon EC2 uses a modified version of the Xen hypervisor, which can significantly improve the performance of virtual machines through paravirtualization. And access to the CPU comes with separate privileges. The host OS has the highest at level 0, the guest OS is at level 1, and the applications have the least privileges at level 3.

Isolation instances. Multiple guests can be deployed on one physical machine. Although instances do not have direct access to the physical disk, they are given access to the virtual data storage. To avoid mutual influence of virtual data of different instances placed on one physical machine, the system provides a double-check before "giving" empty space to another instance. Thus, in paying attention to data interaction avoidance, Amazon provides a high level of security for each instance. To ensure that data from different applications does not influence each other in the case of disk space liberation, information from each of the storage units is automatically deleted (the value is set as zero). Memory is not returned to the pool of free memory until the reset process completes.

Security of the host OS. A multifactorial authentication system is implemented for administrative access to the host's management. If an employee no longer needs such access, his account is canceled.

Guest OS security. Support for security here lies entirely on the development team, as the provider does not have access to both the instances and guest operating systems that are installed on them. It is, in fact, a benefit in the context of application security (provider cannot get the customer's data) but also creates potential vulnerabilities for attacks. Configuration errors can give attackers access to applications, data, and even entire virtual machines.

Firewall. By default, all firewall ports are closed. This means that the customer himself must open the ports for incoming traffic. Amazon provides the ability to split the levels of access groups (called Security Groups).

API access. API calls to start or interrupt instances, change firewall settings, and other functions are signed by a secret key (the Amazon Secret Access Key). Access to an API is impossible without it. In addition, the API calls are encrypted using a cryptographic SSL protocol.

Windows Azure
Although Microsoft offered Windows Azure only as platform-as-a-service (PaaS) in the past, the company recently introduced a series of updates to position Azure as a full-fledged cloud infrastructure on which to run applications on Windows Server and Linux.

Our independent performance testing has shown that Windows Azure is ahead of its competitors, thereby strengthening its position. The following is included in the Azure security package:

Mutual SSL authentication. All internal traffic is sent in encrypted form, which prevents information outflow, even if it is intercepted.

Management of certificates and private keys. Certificates and keys are generated by a separate mechanism, which is not available from the application code. They are encrypted and stored in a secret repository. Additional password protection is available.

Principle of minimal privilege. Custom applications run on virtual machines with minimal rights. This complicates any kind of attack, because their implementation would require escalation of privileges.

Data access control. Each client's account generates a secret key that provides access to the vault tied to their account.

Isolation of hypervisor, host OS, and guest virtual machines. Isolating client virtual machines is critical for sharing disk space safely. The hypervisor and the root OS are responsible for the isolation of guest virtual machines.

Packet filtering. The hypervisor and the root OS filter unsafe packet traffic.

VLAN isolation. Internal data transfer is organized so that all traffic is verified by the router when moving from one network to another. That prevents receipt of external traffic in the internal network infrastructure.

Removal of outdated data. After the removal of data, the platform checks and removes all references to the purified resource. All copies are also erased by means of scavengers.

It is apparent that the security mechanisms offered by these providers are aimed at protecting domestic architectures, including hardware and client virtual machines. And this is natural, since it is important for the provider to prevent further attacks in case of illegal capture of a virtual machine (e.g., access to the root operating system, unauthorized listening of client machine traffic, or obtaining information stored on disk).

Anna Andreeva is a security quality assurance engineer with A1QA, an independent software testing company. She started her carrier as a web developer and moved to the software security sphere with a set of essential skills in programming languages. Her current ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Strategist
8/28/2014 | 12:19:57 PM
Re: cloud security
Good point Anna, about balancing security and usability. Like you say, it would depend on the customer's requirements for the data they're putting in the cloud.

Do you find that the cloud providers are providing enough transparency into their operations and their security? I've heard concern from cloud users about lack of cloud provider transparency.

 

 
A.Andreeva
100%
0%
A.Andreeva,
User Rank: Apprentice
8/28/2014 | 9:11:56 AM
Re: cloud security
Marcia, thank you for your question! I would say security is a global trend which is inevitably coming to Cloud. I know that many of the other storages  carrying a lot of security. Among the most popular -  Google Disk and Rackspace – doing not less than those in the article. But this is always a question of balance between security and productivity reasons. What is essential for client – how secure his/her app is in the cloud, but not less important how fast it is running. So, the majority of clouds consider both factors.
MarciaNWC
100%
0%
MarciaNWC,
User Rank: Strategist
8/26/2014 | 6:38:28 PM
cloud security
Thanks for this detailed comparison. AWS and Azure both seemed to have worked pretty hard on security. What's your sense of the security levels of other cloud providers? Is cloud security beocming more prevalent?
aditshar1
50%
50%
aditshar1,
User Rank: Ninja
8/26/2014 | 2:56:39 PM
Features
I believe most of the features in AWS vs Azure are similar, but they both name it differently for the same types of features. Like EC2 for AWS and Virtual Machines for Azure
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed