As more of the services we rely on depend on cloud infrastructure, and the sophistication and frequency of malicious attacks increases, security is a primary concern for organizations looking to move applications and data off premises.
Microsoft Azure is a relative newcomer to the marketplace, but has expanded its services fast to compare favorably with its nearest rivals. But can Azure provide the same level of security as industry mainstay Amazon EC2? In this article, I’ll try to answer that question by comparing Azure and Amazon in four key security areas: Antivirus, security configurations, identity management, and machine learning.
Microsoft Azure VMs can be provisioned with Microsoft’s free Antimalware agent, providing real-time protection and on-demand scheduled scans, and it’s supported on Windows Server 2008 R2 and later operating systems. Based on the same technology that powers Windows Defender, Microsoft Forefront Endpoint Protection, and Windows Intune, malware events can be collected free of charge via Azure Diagnostics.
Microsoft Antimalware writes events to the Windows Server Event Log, including information such as engine updates and health state. This information can then be transferred to an Azure storage account, and once it’s there sent to HDInsight or log management system of your choice.
Microsoft has also partnered with Trend Micro and Symantec to provide trials of their AV products, with agents that can be provisioned automatically in VMs, but need to be converted to the full product going forwards. Nevertheless, these third-party options are useful for those who already have an investment in solutions from either company, or if you don’t want to rely on Microsoft’s malware engine.
While some AV companies provide bundles specifically to support VMs in the Amazon cloud, such as BitDefender’s Security-as-a-Service for AWS, there’s no integrated solution to compare with Azure. Amazon leaves the responsibility of provisioning AV entirely up to the customer, and while it may not be as simple as in Azure, there’s no reason why comprehensive AV protection cannot be provided.
Azure’s web management portal exposes end-point security ACLs, which are applied on an individual basis to VMs. Network Security Groups (NSGs) can be configured using PowerShell, and are used to apply inbound and outbound rules to VMs and subnets. It’s possible to associate a NSG with a VM, and a different NSG to the subnet in which the VM resides.
Amazon has a similar system that defines network security for groups of VMs, and network ACLs to control the traffic allowed to reach VPC subnets. For more information on configuring Amazon EC2 security groups, see Enable IP between VPC Instances in Amazon Web Services on the Petri IT Knowledgebase.
Azure’s identity management platform, Azure Active Directory (AAD), is a directory service for authenticating users against cloud applications. One of the key features of AAD is its ability to synchronize with existing on premise Active Directory deployments, which are already widespread in the enterprise, allowing organizations to greatly simplify their identity management efforts and improve security at the same time.
AAD comes in three editions: Free, Basic, and Premium. The Free edition provides synchronization with on premise AD, and single sign-on capability for popular cloud applications, including Office 365, Google Apps, Salesforce, and Dropbox. The Basic addition adds group management, self-service password reset, company branding options and an enterprise-level SLA. Premium includes multi-factor authentication, and an application proxy for providing secure access to on premise applications.
AWS Directory Service has two directory types: a proxy (AD Connector directory type) that connects to existing on premise Microsoft Active Directory deployments, and a Samba-based directory (Simple AD directory type) for those that don’t already have an investment in AD. Simple AD has many of Active Directory’s features, such as Windows domain join and Group Policy support. Amazon is selling AWS Directory Service as an alternative to AAD that’s easier to set up and manage, and might be sufficient to service basic authentication duties for Amazon cloud applications.
Machine learning analyzes big data to provide insights and predict behaviors using huge quantities of collected information. While many of today’s attacks require reactive manual responses to fend them off, with the help of machine learning, system configuration changes could be automated or even predicted in advance of an attack happening or mutating.
Machine learning could play a key role in improving security in the not too distant future, and in Microsoft’s cloud that means Azure ML. While most intrusion detection and antimalware solutions today are based on a combination of signature based, behavioral and heuristic threat detection, machine learning promises to provide better solutions going forward in defending against sophisticated attacks.
The AWS Marketplace includes some self-contained third-party machine learning solutions, and security solutions like FireEye’s Threat Analytics Platform that provides real-time, dynamic protection without the signatures used by traditional antimalware and intrusion protection systems.
Microsoft Azure offers more flexible identity management options with its mature cloud-based and on premise Active Directory services. And while Amazon can plug in to on premise AD, it’s likely that unless your needs are basic, Active Directory proves a better option than Amazon’s Simple AD directory type. Security ACL management is on a par in both clouds, and machine learning is a technology that might come into its own in the future.
But identity management aside, Amazon Web Services and Microsoft Azure are more or less equals in security, so other considerations are likely to drive your decision about which cloud best suits your organization’s needs.