The move to cloud continues to grow at pace, with most IT departments looking at Azure and AWS as the two the main options to consider. For each individual use case, there will be a number of requirements to consider including what applications will be deployed, existing skill base and cost. We would hope that security is also on the list of requirements. So, that being the case, does Azure have the advantage over AWS for the security conscious customer?
The short answer, which could save you some reading, is that there is no clear leader as far as security is concerned. AWS and Azure both adhere to a shared security model. This basically means that they take responsibility for controlling the security of the cloud, whereas you are largely responsible for the security in the cloud.
In other words, they secure all the servers, hypervisors, physical access, infrastructure resilience etc that provides the service. You must control the OS, application security, patching and end to end security (SSL etc). They can both boast a plethora of independently audited accreditations confirming they do the right thing with respect to security. You could argue that one has such and such an accreditation and the other does not, but this would be nit picking except in the most sensitive, specific use cases.
As far as penetration testing is concerned, they carry out extensive testing on the service infrastructure but, just as you would with your own on premise infrastructure, you should carry out testing on your own virtual server and application implementation.
Ultimately, whether it be in-house, Azure or AWS, you are spinning up a VM, OS and Software. The security of that content remains your responsibility. If you do not patch your OS and applications, you could be exploited and this is the case whether you are running on AWS or Azure. For the most part, the underlying infrastructure provider is irrelevant, if they weren’t doing the right things, they would lose all their trust and their business, which is why we believe there is no fundamental or persistent, difference between the level of security provided by Azure and AWS.
KRYPSYS consultants are highly qualified in cloud security and have proven expertise in implementing and penetration testing secure infrastructure in the cloud. If you would like advice and guidance when securing your Azure or AWS infrastructure, please feel free to contact us on 0845 474 3031 or [email protected]