Cloud-based storage grows more popular every day, for good reason. Cloud storage allows users to get fast access to all the data they need to perform their jobs from virtually any location. In addition, developing web applications for the cloud isn't that different from applications written for a conventional computer, so the number of applications is increasing.
However, let's put the convenience of the cloud aside for a moment and consider the biggest drawback of cloud services in general: security. How safe is the transmission of data from client to cloud storage and back? Below is a detailed security comparison between Amazon Web Services (AWS) and Windows Azure, two of the leading cloud infrastructure providers.
Amazon Web Services
AWS EC2 is perhaps the most well known provider of cloud infrastructure. When customers entrust their data to Amazon, they receive:
Multilevel security. Security mechanisms are implemented at several levels -- for host operating systems, virtual instances, and virtual guest OS, as well as firewalls and API calls.
Hypervisor. Amazon EC2 uses a modified version of the Xen hypervisor, which can significantly improve the performance of virtual machines through paravirtualization. And access to the CPU comes with separate privileges. The host OS has the highest at level 0, the guest OS is at level 1, and the applications have the least privileges at level 3.
Isolation instances. Multiple guests can be deployed on one physical machine. Although instances do not have direct access to the physical disk, they are given access to the virtual data storage. To avoid mutual influence of virtual data of different instances placed on one physical machine, the system provides a double-check before "giving" empty space to another instance. Thus, in paying attention to data interaction avoidance, Amazon provides a high level of security for each instance. To ensure that data from different applications does not influence each other in the case of disk space liberation, information from each of the storage units is automatically deleted (the value is set as zero). Memory is not returned to the pool of free memory until the reset process completes.
Security of the host OS. A multifactorial authentication system is implemented for administrative access to the host's management. If an employee no longer needs such access, his account is canceled.
Guest OS security. Support for security here lies entirely on the development team, as the provider does not have access to both the instances and guest operating systems that are installed on them. It is, in fact, a benefit in the context of application security (provider cannot get the customer's data) but also creates potential vulnerabilities for attacks. Configuration errors can give attackers access to applications, data, and even entire virtual machines.
Firewall. By default, all firewall ports are closed. This means that the customer himself must open the ports for incoming traffic. Amazon provides the ability to split the levels of access groups (called Security Groups).
API access. API calls to start or interrupt instances, change firewall settings, and other functions are signed by a secret key (the Amazon Secret Access Key). Access to an API is impossible without it. In addition, the API calls are encrypted using a cryptographic SSL protocol.
Although Microsoft offered Windows Azure only as platform-as-a-service (PaaS) in the past, the company recently introduced a series of updates to position Azure as a full-fledged cloud infrastructure on which to run applications on Windows Server and Linux.
Our independent performance testing has shown that Windows Azure is ahead of its competitors, thereby strengthening its position. The following is included in the Azure security package:
Mutual SSL authentication. All internal traffic is sent in encrypted form, which prevents information outflow, even if it is intercepted.
Management of certificates and private keys. Certificates and keys are generated by a separate mechanism, which is not available from the application code. They are encrypted and stored in a secret repository. Additional password protection is available.
Principle of minimal privilege. Custom applications run on virtual machines with minimal rights. This complicates any kind of attack, because their implementation would require escalation of privileges.
Data access control. Each client's account generates a secret key that provides access to the vault tied to their account.
Isolation of hypervisor, host OS, and guest virtual machines. Isolating client virtual machines is critical for sharing disk space safely. The hypervisor and the root OS are responsible for the isolation of guest virtual machines.
Packet filtering. The hypervisor and the root OS filter unsafe packet traffic.
VLAN isolation. Internal data transfer is organized so that all traffic is verified by the router when moving from one network to another. That prevents receipt of external traffic in the internal network infrastructure.
Removal of outdated data. After the removal of data, the platform checks and removes all references to the purified resource. All copies are also erased by means of scavengers.
It is apparent that the security mechanisms offered by these providers are aimed at protecting domestic architectures, including hardware and client virtual machines. And this is natural, since it is important for the provider to prevent further attacks in case of illegal capture of a virtual machine (e.g., access to the root operating system, unauthorized listening of client machine traffic, or obtaining information stored on disk).