The cloud is not impenetrable. It comes with many potential threats, like insecure default settings, vulnerabilities in software dependencies, and leaked administrative credentials. One of the most common oversights is the misconfiguration of S3 buckets or databases, which has led to the leak of millions of sensitive data records over the years. Due to these and other risks, nearly 100% of companies experienced a cloud data breach in the past 18 months, according to Ermetic.
The big three cloud service providers (CSPs) all offer quite high-grade encryption, firewalls, authentication, and authorization features. But which cloud provider is the most secure?
That question can be tough to answer because breaches usually arise from user misconfigurations, not errors within the underlying host. The CSP typically agrees to secure the physical infrastructure and is less responsible for the data or application on top. That being said, some vulnerabilities have been discovered in the cloud’s virtual infrastructure. Plus, each cloud provider is at a different stage of maturity, offering various security features with varying default settings.
Below, we’ll examine the security posture of the three main CSPs, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), to see how they compare. We’ll focus on recent vulnerabilities and breaches within each platform and consider what cybersecurity features each offers. We’ll also summarize the shared responsibility model (SRM) that each cloud provider guarantees for software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS).
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Amazon Web Services (AWS)
Due to its sheer popularity, many cloud breaches involve AWS. For example, in mid-2022 Pegasus Airline exposed 6.5 terabytes of data online with a leaky S3 bucket. Another recent breach involved health technology company Adit (which accidentally exposed 3.1 million patient records.) Most AWS-related security incidents concern misconfigured S3 buckets. To be fair, this isn’t a flaw within AWS, but rather, AWS the result of customers accidentally setting public read access to their data.
Other recent AWS incidents involve server configuration changes, a lack of passwords, or leaked credentials. (With AWS credentials in hand, it’s easy to query administrative URLs for sensitive information or conduct privilege escalation.)
AWS security features and tools:
- DDoS (distributed denial of service) protection: Shield
- Secret Manager
- Virtual private networks (VPN)
- Identity and access management
- Web application firewall
- Data protection and encryption
- Compliance with risk frameworks
- Third-party security vendor marketplace
- Transparent vulnerability reporting
- and much more
AWS shared responsibility model: AWS’s SRM is rather straightforward — you’re responsible for security “in” the cloud, and they’re responsible for the security “of” the cloud. This essentially means that cloud users must secure guest operating systems, application software, data, and their configurations. AWS is then responsible for securing the hardware, software, networking, and facilities.
Microsoft Azure
Similarly, most Azure hacks involve misconfigured or open storage buckets. For example, MyEasyDocs exposed 30.5GB of student information due to an open Azure bucket, and another big one left 65% of U.S. households exposed. Whereas those leaks involved user misconfigurations on the user side, the BlueBleed hack seems to be more Microsoft’s fault, as it involved an unknown legacy endpoint leaking an estimated 2.4TB of customer data.
In addition to data leaks, Azure’s virtual infrastructure has had flaws in the past. In mid-2021, Microsoft notified its customers of a flaw in Azure Cosmos DB database, which left data from 3,300 Azure customers exposed online. Six “nightmare” cloud security flaws were also found in Azure last year. In general, Azure has been more prone to cross-tenant vulnerabilities, and some analysts have described Azure as being a bit behind on security.
Azure security features and tools:
- Azure DDoS Protection
- Secrets management: KeyVault
- Virtual private networks (VPN)
- Azure Active Directory
- Azure AD Multi-Factor Authentication (MFA)
- Data encryption at rest and in transit
- Web application firewall (WAF) following OWASP guidelines
- Azure Monitor
- and much more
Azure shared responsibility model: Customers are always responsible for information and data, devices, accounts, and identities. Azure begins to assume responsibility for virtual and physical infrastructure, but the degrees of responsibility vary depending on whether the customer is operating SaaS, PaaS, or IaaS. Azure assumes no responsibility for on-premise instances.
Google Cloud Platform (GCP)
In its Threat Horizons: Cloud Threat Intelligence report, Google notes that cryptomining is the most popular type of attack on its platform, accounting for 86% of compromised Google Cloud instances. Recent exploits in GCP have more to do about hackers leveraging the infrastructure as opposed to leveraging sensitive data.
That said, experts have revealed a blindspot in GCP that could enable data exfiltration attacks. According to the researchers, GCP lacks deep visibility into its storage logs, limiting forensic investigations. Also, six vulnerabilities were recently discovered across GCP services, including Theia, Vertex AI, Compute Engine, and Cloud Workstations.
GCP security features and tools:
- DDoS protection: Google Cloud Armor
- Secret Manager
- Virtual private networks (VPN)
- Identity and access management
- Web application firewall
- Threat intelligence features
- and much more
Shared responsibility model: GCP’s Shared Responsibility Matrix is a bit more complex than the others. This SRM specifies security responsibilities on a per-service basis. In general, you are responsible for more and more components as you move from SaaS to PaaS, IaaS, and on-premise.
In Summary
It’s good to remember that cloud security is a shared responsibility. There’s only so much a cloud service provider can do to ensure that the cloud isn’t being abused. Therefore, it’s up to the end consumer to follow cloud security best practices and correctly configure security features pertaining to IAM policies, firewalls, IP listing, and encryption.
Determining which cloud is most secure is also challenging because each CSP provides a massive array of services. Therefore, it really depends on the environment and deployment being used. That being said, AWS appears to be the most mature, having been in the market the longest. It defaults to secure configurations most often and has suffered fewer reported major infrastructure vulnerabilities in recent years.
This article has been updated since it was originally published on May 5, 2023.