This article aims to compare Microsoft Azure Security vs AWS Security. We look at how each addresses the size pillars of cyber security.
Regardless of the chosen provider, organizations expect cloud services to deliver better business agility while ensuring a secure and reliable environment for cyber resilience.
According to IBM, cyber resilience describes an organization’s ability to continue operating despite a cyber security event resulting in a service disruption.
One way to ensure resiliency is to build an infrastructure based on the six pillars of a zero-trust architecture outlined in government documents such as Cybersecurity and Infrastructure Security Agency’s “Trusted Internet Connections 3.0 Reference Architecture,” and the National Institute of Standards and Technology’s “Zero Trust Architecture” draft 800-207.
These pillars revolve around the following:
- Identity. Any resource, whether a person, a device, or a system that attempts to access a network must have its identity verified.
- Data. Protecting data is a core pillar of zero-trust cybersecurity that ensures end-to-end data encryption capabilities.
- Infrastructure. This pillar focuses on configuration, micro-services, virtual machines, and containers to detect and block potential threats.
- Networks. This cybersecurity area focuses on monitoring network activity and preventing lateral movement across the network through micro-segmentation.
- Devices. Information flows through devices such as IoT, smartphones, or on-premises servers to a cloud service provider (CSP) that must be secured to ensure compliance and device health.
- Applications and APIs. APIs and applications consist of legacy solutions, cloud-shifted workloads, or cloud-native products that must be secured to minimize shadow IT, identify abnormal behavior, and verify user access.
How well do AWS and Azure address these six pillars as cybersecurity takes on more national importance? What part does the cloud computing user play in meeting these recommended pillars of zero-trust architectures?
Both Amazon and Microsoft operate under a shared responsibility model. That means a percentage of the security obligations reside with the security group of your business. Moving operations to a cloud platform do not mean an organization is absolved of all cybersecurity responsibilities. The precise responsibilities depend on the services being provided. For example,
- IaaS. For infrastructure as a service (IaaS) environments, cloud service providers (CSPs) are responsible for the base cloud infrastructure including the physical security of the facilities that house the equipment. They are not responsible for the security of operating systems or software stacks needed to run applications or store data.
- PaaS. Platform as a service (PaaS) configurations requires the provider to take on the added responsibility for applications and operating systems.
Software as a service (SaaS) cloud users are responsible for securing data, devices, accounts, and identities in an Azure environment. With AWS, customers are responsible for data, applications, network and firewall configurations, and client-side encryption.
When evaluating the differences in an AWS vs Azure shared responsibility model, cloud users need to assess the level of technical expertise required. If those resources are unavailable, they may want to look to third parties for assistance.
Azure security vs AWS security comparisons using the six pillars illustrate the differences in how the two providers approach cybersecurity and resilience. This information allows organizations to select the CSP that best fits their needs.
No matter the provider, cloud users are responsible for managing the identities of any resource such as a person, device, or system trying to access the cloud infrastructure. As cloud resources increase, managing identities and privileges can become challenging without appropriate tools.
Azure uses Microsoft’s Active Directory technology to deliver identity and access management on Azure. The product comes with a limited-feature free tier. However, its paid tiers offer advanced features that help manage hybrid environments. For anyone familiar with Active Directory, the transition to Azure AD requires minimal training. The security controls in Azure Active Directory are consistent whether on-premise or in Azure cloud.
AWS offers identity and access management (IAM) as a web service. A one-time AWS root user account is created that can then be used to establish user credentials and privileges. The AWS service is for cloud-based environments only. If integrating into a hybrid environment, AWS must interface with on-premise solutions such as Microsoft’s Active Directory.
Data should always be encrypted whether it is in transit or at rest. Both Microsoft Azure and AWS use key-based data encryption. Amazon uses its key management system (KMS) while Microsoft uses Azure Key Vault. Both tools offer data encryption and key management.
AWS KMS uses two types of encryption keys. It generates a master key used to create data keys for encrypting and decrypting data. The master keys can be customer- or AWS-managed; however, cloud users are responsible for managing their data keys. AWS KMS uses FIPS 140-2 validated hardware security modules (HSMs). HSMs may be software- or hardware-based.
Azure Key Vault stores security artifacts such as tokens, keys, and passwords. Key Vault encrypts keys in a hardware security module to comply with industry standards. The solution includes a built-in HSM and supports RSA and Elliptic Curve key generation and management. All keys are processed using FIPS 140-2 validated HSMs. Key encryption is managed through a single product, while AWS uses different web services for its end-to-end encryption.
Encrypted Stored Data
Another critical aspect of cloud security comparisons is the encryption of stored data. AWS uses its Simple Storage Service (Amazon S3) while Azure’s Blob provides cloud storage for data encryption. Both solutions support key encryption of data.
- AWS. AWS uses an industry-standard S3 service or block storage for object delivery. At instance start-up, AWS allocates storage capacity. When the instance is terminated the storage area is destroyed. AWS supports a range of relational databases for storing data.
- Azure. Microsoft’s cloud becomes the primary storage for encrypted data. Azure provides additional backup options for data retrieval. These options support archival and site recovery capabilities and the import/export of data. Azure uses file systems, data blocks, and disk drives to temporarily store encrypted data.
Securing data is fundamental to resilience capabilities. Companies looking to protect their digital assets need a CSP whose implementation merges with their existing operations.
Microsoft Azure and AWS cloud platforms manage a worldwide cloud infrastructure of thousands of interconnected data centers. Both providers use virtual private networks (VPNs) to establish a secure connection between two points on the network. All data flowing through the connection is encrypted. Azure uses ExpressRoute and Azure Virtual Network (Azure VNet) with layer three routings while AWS sues two web services.
AWS offers Virtual Private Cloud (VPC) and Direct Connect to enable secure VPN connectivity. AWS uses layer two routings while Azure uses layer three. Layer 2 looks at a MAC address but not an IP address. With a layer 3 implementation, static and dynamic routing capabilities are included.
The shared responsibility for infrastructure security depends on the services in use. As indicated previously, IaaS implementations require cloud users to maintain security for everything beyond the physical components and facilities housing the equipment.
Both Azure and AWS offer multiple tools for monitoring cloud infrastructure. There are broad-based tools such as AWS CloudWatch or Azure Monitor and specific tools for Azure such as
Other third-party tools are available for Azure and AWS implementations.
The network pillar looks at network configuration and activity to limit the risk associated with network intrusion. Monitoring tools encompass device performance and health and application activity that might indicate a potential cybersecurity attack.
Azure security vs AWS security comparisons blurs the lines among the network, device, and application pillars. The monitoring functionality helps maintain the health and performance of cloud infrastructure while overseeing application usage. Both Azure and AWS offer monitoring tools to help strengthen a zero-trust architecture.
CloudWatch consolidates monitoring and operational data from logs, metrics, and events. The collected information is available for visualization on automated dashboards. The tool monitors cloud and on-premise environments for better visibility. With CloudWatch Alarms, AWS monitoring services can notify staff of potential threats. Sometimes, the tool may automatically address a threat rather than send it to the IT team.
CloudWatch provides visibility across an entire AWS deployment through a single user interface for faster responses to behavior deviations. The consolidated view makes it easier for organizations to see the volumes of metric and logged data that results in insights into their operations. Cloud users predetermine thresholds that trigger an alert or an automated response when reached.
Amazon CloudWatch is designed to reduce the mean time to resolution for cloud users. Using CloudWatch Alarms and CloudWatch Events, the monitoring capabilities expand to respond to operational changes and events. Setting triggers for different metrics tell CloudWatch when and how to respond to an alert.
Azure Monitor, like AWS CloudWatch, is a native monitoring tool aggregating availability and performance data for analysis. The tool divides and stores the data as metrics or as logs.
- Azure Monitor Metrics. This feature collects numeric data from multiple sources and places the information in a time-series database, making it easier to transport and manipulate for analysis and reporting.
- Azure Monitor Logs organizes log and performance data into a single workspace. The feature can operate in nearly real-time.
By using an array of Azure monitoring tools, cloud users can automate responses and actions based on customer-set triggers.
Detecting vulnerabilities is the first step in protecting digital assets, but correcting those weaknesses may require added assistance from automation. For example, AWS Inspector offers automated security assessment tools, although remediation is manual. Depending on other AWS monitoring tools, AWS Inspector may provide the continuous assessment a business requires.
Azure Security Center looks at firewalls, SQL Server databases, virtual machines, and disk storage. The data can be displayed in different formats using Microsoft’s Power BI capabilities to help visualize the information.
GuardDuty operates as a threat detection tool such as AWS Inspector; however, GuardDuty incorporates machine learning to detect threats to AWS accounts, applications, and workloads. It can remediate threats and raise awareness in real-time.
Azure Sentinel is more than a threat detection tool. It is a Security Information and Event Management (SIEM) and a Security Orchestration and Automated Response (SOAR) system for Microsoft’s public cloud. As a single solution, it collects data from across the enterprise to assist in alert detection, proactive hunting, threat visibility, and threat response. As with many of Azure’s tools, data visualization is incorporated to deliver insights needed for quick decision-making.
Is Azure Security vs AWS Security Better?
Whether you’re considering cloud services or are looking to upgrade an existing implementation, both Azure and AWS offer solutions to address the six pillars of zero-trust cybersecurity frameworks. Both Microsoft and Amazon use a shared responsibility model for cybersecurity enforcement. What makes one solution better depends on how your business plans to use the cloud services.
Security Centers vs Security Hubs
For example, AWS Security Hub provides cloud security management by applying security best practice checks, enabling automated remediation responses, and collecting alerts in a central location. The functionality covers the basics of a centralized security hub.
Microsoft’s Azure Security Center may sound the same, but it is a set of monitoring and management tools for cloud services. Through the security center portal, subscribers can access the tools they need to prevent, detect, and respond to cyber threats.
Depending on the complexity of your operating environment, Azure’s Security Center with its access to multiple tools may be worth the added cost for the services. AWS hub may fit your operations and budget better if your infrastructure is fundamental.
Unless you have a cloud security expert on your staff, your business will need assistance determining the critical capabilities. For anyone without extensive experience with cloud implementations, understanding how the pieces fit together can be overwhelming.
There are multiple options with different features that may or may not be of use in your deployment. Deciding which tools are best for a hybrid environment may be challenging.
With the increased emphasis on cybersecurity, businesses cannot afford to ignore the need for the six pillars of zero-trust cybersecurity. However, navigating the landscape can paralyze a company. Our Azure specialists can help you find the best solution to your cybersecurity needs. Reach out to us today.