PART I: AWS and Azure–Cloud Security Isn’t True Security

Ratinder Ahuja

Ratinder Ahuja

January 03, 2019

Like taking flight, most enterprise CISOs begin (and remain) building their security structure while their assets on the ground, before transitioning a number of them to AWS or Azure cloud storage and apps. And rather than building on a cloud foundation from the very beginning of their business model, the most likely scenario for our readers is to have a fair amount of data centers stationed on their own servers, even after their move to their cloud(s).


However these assets are positioned, assessment of your own security posture should take into account their configuration as well as their location—and cover everything in between. Below we go into the different considerations for secure AWS and Azure storage, as well as the importance of a holistic security plan for whatever your organization has decided to shift—or keep on premises.


The basics

In a general sense, AWS and Azure have grown more similar than apart. AWS was initially built to hold Amazon’s assets and information. Their data center was then converted to use for customers. So from day one, the security architecture was not built to allow customer control in several aspects, let alone the microsegmentation that you can only get from a third-party provider.


As far as Azure is concerned, they launched in 2010 but are now a Fortune-500-favorite to the cloud game, starting as an internal project for building and deploying their own applications.


Add-ons add up

Neither AWS nor Azure features security as a pillar on their website, and there’s a reason for that. If there’s anything you take away from this article, it is vital to remember that when it comes to security, anything put on the Cloud is a shared responsibility model.


If you build an application, do anything on your own that holds customer data, or write code—that’s all your security responsibility. It works well only as long as every user has done their bit.


According to their marketing, both the Azure Active directory and AWS Directory Service profess their “reliability” and “scalability” and touch on security features that can basically be categorized into:

  • Visibility
  • Threat protection
  • Security assessment
  • Cloud configuration assessment, and
  • Policies and constraints, including varied microsegmentation


One security researcher summarizes that, though he prefers them for data protection, his main challenge with AWS is that “they don’t offer control over the subnet level. For a security provider to mitigate that issue we need to look at every machine’s traffic.”


We encourage you to visit both websites or this handy comparison guide for specifics, but let’s move forward. According to Azure’s Advanced Threat Protection offering, as an add-on security feature, they profess to:

  • Identify suspicious user and device activity with both known-technique detection and behavioral analytics
  • Analyze threat intelligence from the cloud and on-premise
  • Protect user identities and credentials stored in Active Directory
  • View clear attack information on a simple timeline for fast triage
  • Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection

But comparison of in-cloud offerings is not the takeaway point of this article. Other articles do that. Our point is this: We believe any cloud’s security description should not satisfy you. You should leave a clouds’s website with multiple questions and assumptions. Cloud security isn’t true security. Never believe the hype.


Take the above bullets. You may ask yourself, How does Azure identify suspicious user activity via analytics, when a user could be monitoring on-premise apps before breaking in without suspicion? How do they analyze threat intelligence on premises? Would that require timely installation and automatic updates? Yes, Azure monitors multiple entry points—cloud entry points. Is every department of your company using the same cloud login? Is that a good thing?


So let’s pretend, with all your open-ended questions, you’ve opted to purchase their security plan. But you need more. To secure on-premise apps you’ve gone with an agent-based solution. A few other departments have added on a patchwork of virtual appliances to supplement their data security. Like many companies, you may throw consistency out the window and inadvertently end up using multi cloud/platform approaches even across divisions. Suddenly, in Q3, the CFO calls you in a panic, asking why vendors are emailing and asking for overdue licensing and maintenance fees.


We’d like to offer you a little reminder. Rather than relying on multiple add-on security providers, with an agentless network provider like ShieldX, you are consolidating and applying one set of controls across multiple platforms. It’s this problematic nature of cloudy security issues which is why ShieldX devised the solution in the first place. But enough sales talk.


PART II coming tomorrow.