Public cloud security: AWS security and Microsoft Azure

A look at the security capabilities offered in AWS and Microsoft’s hosted services.

This tip is a part of the SearchCloudSecurity.com AWS security and Amazon EC2 security tutorial

While organizations are eagerly eyeing the efficiency and cost benefits of cloud computing, security professionals are concerned that migrating resources into cloud environments -- especially public clouds -- comes with significant risk.. Many of the safeguards and data security controls in place within our networks today may not be present in cloud provider environments, or may not have the same features that security teams employ currently. Other public cloud security problems may also include a lack of control and visibility into the security tools and controls within the cloud provider’s infrastructure.,

However, public cloud providers are stepping up their security and offering more security tools and capabilities than ever before. Let’s explore some of the capabilities offered in AWS security, as well as Microsoft’s Windows Azure platform.

Amazon Web Services – AWS security

Amazon Web Services (AWS) offers a wide variety of multifactor authentication options for customers who wish to employ physical tokens or similar technology to improve access controls. Cryptographic keys for access to AWS can be managed and rotated by customers, as well. In addition, Amazon EC2 instances can have multiple distinct users with specific permissions established for simplistic identity and access management (IAM), and Amazon follows the security best practice of “least privilege” by initially generating users with no access permissions. Customer administrators must explicitly grant all additional user permissions.

Virtualization management platforms at Amazon require multifactor authentication from AWS staff, and customers manage all virtual machine (VM) local access and host-based security (firewalls, IDS, etc). EC2 has a simple inbound firewall that can be broken into “security groups” that are initially configured in “Deny All” mode. To allow traffic to each instance, customers will need to explicitly allow TCP, UDP and ICMP traffic from source IP addresses or ranges.

Additionally, Amazon now offers customers the Citrix NetScaler (VPX) virtual Web application firewall for enhanced application security. However, implementing this type of application monitoring could cause some slow or dropped application traffic and should be thoroughly tested before implementing on production cloud applications.

Finally, Amazon has made it relatively simple to perform external penetration tests and vulnerability scans. Customers of AWS can fill out a form to request a testing window by providing the source IP addresses for the test, Amazon instances to test, and time preferred. Amazon has explicit terms of service preventing the use of denial-of-service (DoS) tools or any other scanning or testing tools that could cause outages or excessive resource consumption.

Microsoft Azure security

Microsoft offers a number of hosted application services with its Windows Azure platform and Office application suite, and has published a more generic paper detailing security within their cloud environments. The company’s internal security and compliance team follows ISO 27001 as a risk management framework, and best practices for incident handling, application security, physical security, access and identity management and other areas. All of these are focused on Microsoft-managed internal security, however.

A separate paper goes into more specific detail on the architecture of Azure nodes, as well as authentication mechanisms like Windows LiveID and the Azure Service Management API (SMAPI), as well as cryptographic key management both by Microsoft and customers’ developers. While Azure does not currently support customer-created network access controls to allow and deny specific traffic, this feature is planned for a future release. Customers can, however, provide custom configuration files detailing the connectivity granted to roles within specific applications. Logging and monitoring data is also provided to customers for analysis and review.

Most major providers should  perform internal and external network scans and penetration tests on a regular basis, and be able to provide an audit trail of test results and remediation efforts.  All should maintain stringent patching and configuration management processes internally, and it’s critical that customers request information on patching cycles from providers that maintain platforms and applications. For Infrastructure as a Service (IaaS) offerings, where customers are largely responsible for their own platforms and applications, most of these activities (if not all) will be maintained by customers themselves.

About the author:

Dave Shackleford is a founder and principal consultant with Voodoo Security and also a certified SANS instructor.



Dig Deeper on Public Cloud Computing Security