Evaluating Benefits of Public Cloud Providers

Introduction

The tech industry is big on buzzwords. Terms like “the Internet of Things,” “Big Data,” and “Machine Learning” are just a few often found in tech blogs, but none seem as prevalent as the most nebulous culprit: “the cloud.” Although the term can seem both vague and impressive, the cloud is something anyone with internet access has encountered—it simply refers to software and services that run online rather than locally. Most cloud-based services can be accessed through a web browser; common examples are iCloud, Google Drive, Netflix, and Dropbox. Two advantages of cloud-based services are: information is accessible via any device with an internet connection, and managing local storage space is no longer a concern for the user.

Figure 1: The cloud, as it relates to your devices.

However, hosting data in the cloud can be a source of unease for many large enterprises (and some smaller ones) that have an established technical routine. IT professionals are often concerned with data security, residency, network accessibility issues, and unforeseen expenses. Although this apprehension is understandable, advances in cloud technologies by leading providers, such as Amazon, Microsoft, and Google, have all but eliminated the need for concern. This whitepaper provides an overview of three main consideration areas in cloud technology—security, availability, and expense—and highlights how today’s leading cloud technology providers address them.

Security

Perhaps the most common fear corporations have about the cloud is that of insufficient security. After all, choosing to entrust a third party with private data is effectively entrusting them with the success of the company. Executives often believe that data could be better secured on a physical server located on the premises of the company. However, this logic is short-sighted—while it is possible that a company could secure data better than some leading cloud providers, doing so would likely require additional expenses, including hardware, supply chain, and personnel, and it would overcomplicate daily operations.

While public cloud providers do not take full responsibility for the security of user data, most providers offer some type of a shared responsibility model, which helps to ensure the safety of anything hosted in the cloud. For example, Amazon takes ownership of securing physical and environmental controls, but shares patch and configuration management responsibility with the customer.

Figure 2. Amazon’s shared responsibility model.

Because leading providers have advanced infrastructure and share other responsibilities with the consumer, enterprise data is almost always more secure in the cloud. Providers such as Amazon, Microsoft, and Google have the physical and capital resources to guard security much more closely than non-technical (or even technical, but non-cloud) corporations.

Although security is a common concern among companies considering cloud, security breaches and data leaks actually happen more frequently in traditional data centers. One example is the security breach at Anthem’s physical servers in 2015, which resulted in the theft of sensitive data from over 80 million customers, in addition to more than 100 million dollars in damages.

Of course, this is not to say that data breaches do not happen in the cloud. Apple’s iCloud was hacked in 2014, resulting in a large number of leaked personal photos from customer accounts. However, this breach was in large part attributed to the fact that Apple had delayed fixing an urgent security bug for several months. The bug allowed attackers unlimited login attempts when trying to hack accounts, resulting in successful brute force and dictionary method attacks.

It is important to note that Apple is not considered a key player in the cloud industry by many technology experts. While Apple offers cloud hosting services, they are not a strong provider of Infrastructure as a Service (IaaS) technology, which is a key service organizations must leverage when moving their assets from on-premise to hosted technology environments. Unlike most IaaS providers, Apple does not offer advanced infrastructure security to its customers. Levvel and many industry analyst firms see Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) as leaders in the IaaS space, as each of these companies offer both free and paid security measures as part of their platforms, as well as a shared responsibility model. (Infrastructure security does not protect from application-level attacks—the 2017 Equifax breach is a prime example of this.)

When organizations decide to move their assets to the cloud, it is important that they consider service providers with the right security measures in place. The following section explores the noteworthy security attributes of today’s leading cloud/IaaS technology companies.

Amazon Web Services

Amazon Web Services’ infrastructure offers several security capabilities and services to increase privacy and control network access. These include:

• Network firewalls built into Amazon virtual private cloud (VPC)
• Network control capabilities in AWS Web Application Firewall (WAF), which allows users to create private networks and control access to machine instances and applications
• Encryption in transit with transport layer security (TLS) across all services
• Connectivity options that enable private or dedicated connections from offices or on-premises environments

Figure 3: Amazon’s network security, as shown through the virtual private cloud.

Beyond infrastructure, AWS offers the ability to add an additional layer of security to data at rest and in transit in the cloud. This includes:

• Data encryption capabilities available in AWS storage and database services, such as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift
• Flexible key management options, including AWS Key Management Service, which allows users to choose whether to have AWS manage the encryption keys or retain their own control over the keys
• Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon Simple Queue Service (SQS)
• Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, to help satisfy compliance requirements
• Provided APIs to integrate encryption and data protection with any of the services developed or deployed in an AWS environment

Moreover, AWS offers several tools that ensure resources comply with organizational standards and best practices. These include:

• Amazon Inspector, a security assessment service that automatically assess applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage
• Identity Access Management, which uses least-privilege security modeling
• Deployment tools to manage the creation and decommissioning of AWS resources according to the organization’s standards
• Inventory and configuration management tools, including AWS Config, that identify AWS resources and track and manage changes to the hosted application or resource over time
• Deep visibility into API calls through AWS CloudTrail, including to who, to what, and from where calls were made
• Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded
• AWS Organizations, which allows for consolidated management and billing of multiple AWS accounts, facilitating alignment with different lines of business or stages of the software development lifecycle (SDLC)
• The ability to enable or disable AWS managed services entirely via Service Control Policies (SCPs) within AWS Organizations

Figure 4: An overview of Amazon services that integrate with CloudWatch.

Microsoft Azure

Microsoft Azure public cloud services support a broad selection of operating systems, programming languages, frameworks, tools, and databases that developers already trust. Because Microsoft recognizes that building on or migrating to a public cloud provider entrusts the provider with the security of these assets, Azure is designed to safely host millions of customers at once. A variety of configurable security options provide the ability to control and customize services to fit an organization’s requirements.

The security of the physical infrastructure of Azure servers is guaranteed in the following ways:

• Platforms developed with the security development lifecycle, including internal audits, threat modeling, and surface analysis
• Mandatory security training and background checks for all Microsoft employees working with Azure
• Penetration testing, intrusion detection, distributed denial of service (DDoS), audits, and logging for all Azure instances
• State of the art data centers, physical security measures, and a secure network established with route control, forced tunneling, and virtual network security appliances

Azure also offers the following services and features for customers to further secure their data and applications:

• Azure Resource Manager enables clients to work with grouped resources within a solution. Template-based deployments help improve the security of solutions in Azure by integrating standard security control settings. This reduces the risk of security configuration errors that may take place during manual deployments.
• Application Insights monitors live web applications and can automatically detect performance anomalies. Should there be crashes, failures, or performance issues, this service alerts teams instantly.
• Azure Monitor offers visualization, query, routing, alerting, autoscale, and automation. This alerts developers regarding security-related events generated in Azure logs.
• Log Analytics enables developers to quickly search through large quantities of security-related entries with a flexible query approach.
• Azure Advisor is a personalized cloud consultant that allows customers to optimize deployments. It analyzes resource configuration and then provides recommended solutions to improve the performance, security, and high availability of any hosted application.
• Azure Security Center helps prevent, detect, and respond to threats with increased visibility and control of Azure resources. It provides a single dashboard with alerts and recommendations that can be acted upon immediately.
• Role-Based Access Control (RBAC) secures storage accounts by restricting access based on least privilege security principles. Built-in roles can assign privileges to users.
• Encryption (in transit and at rest) is provided for data transfers and storage.
• Azure Virtual Network is a logical isolation of the Azure network dedicated to your subscription. These VNets support various secure remote access scenarios.
• Network Security Groups are stateful packet filtering firewalls that enable you to control access on a 5-tuple (five different values that comprise a Transmission Control Protocol/Internet Protocol connection). They can be used to control traffic moving among subnets within the Azure Virtual Network and the internet.
• Traffic Manager allows clients to control the distribution of user traffic for service endpoints in different data centers.

Figure 5: Capabilities provided by Azure Log Analytics.

Google Cloud Platform

Google Cloud Platform builds security through progressive infrastructure layers, as outlined below:

• Operational and device security are ensured by a team that responds to threats to infrastructure at all times.
• Internet communication is encrypted in transit.
• Identities, users, and services are authenticated with multiple factors. Access to sensitive data is protected by advanced tools like phishing-resistant security keys.
• Storage services include encryption at rest to guard against unauthorized access and service interruptions.
• Google does not assume trust between services, thus the multi-tenant infrastructure uses multiple mechanisms to establish and maintain trust.
• Hardware infrastructure is Google-controlled, secured, built, and hardened; this includes everything from the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine.

Google offers additional network security with products that define and enforce the perimeter, allow for network segmentation, remote access, and DDoS defense in the following ways:

• Google’s virtual private cloud allows flexibility in scaling and controlling how workloads connect regionally and globally. These VPCs allow private access to Google services such as storage, big data, analytics, and machine learning, without having to give a public IP address to a service.
• Cloud load balancing allows for highly available, geographically distributed caches across zones. It includes an SSL offload that enables centrally managed SSL certificates and encryption to ensure the highest level of security.
• Encryption in transit ensures the authenticity, integrity, and privacy of data in transit. Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or from virtual machine to virtual machine. These protections include IPsec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
• Google’s Application Layer Transport Security (ALTS) is a mutual authentication and transport encryption system that is used for remote procedure call (RPC) communications within Google’s infrastructure. Identities are bound to entities instead of to a specific server name or host. This trust model facilitates seamless microservice replication, load balancing, and rescheduling across hosts.

Figure 6: An overview of GCP security measures.

Availability

When enterprises consider moving all of their infrastructure or data into the cloud, the second priority after security is typically availability. If the success of the company were dependent upon an online shop, for example, each hour of downtime could cause significant damage to profitability. As proven by many instances in the past (e.g., outages at Dropbox and GitHub), failures may take up to several days to solve.

Cloud service providers know accessibility is a key factor for clients looking to migrate their infrastructure. Many offer over 99.0% availability guaranteed as part of their service level agreements (SLAs). The following section explores the ways in which today’s leading cloud service providers ensure availability to their customers.

Amazon Web Services

Amazon (like many companies) offers a Compute SLA for all of its capabilities to guarantee uptime percentages and establish minimum expectations for users. To use one example, the S3 (storage) product SLA guarantees service credits for monthly uptime percentages less than 99.9%. In this formula, the average error rates are defined as the number of internal server errors returned by S3 in a five minute period divided by the number of requests for the applicable request type during that period. The average error rates from each five minute period in a monthly billing cycle is subtracted from 100% (no errors).

Aside from the SLA, Amazon’s global infrastructure spans 18 geographic regions that together comprise 55 availability zones (AZs) around the world. This allows AWS to provide high availability when hosting applications or storing data. Additionally, cross-region replication is available in database solutions and S3 offers redundant storage across a minimum of three availability zones.

Figure 7: The benefits of the AZ structure provided by Amazon.

Microsoft Azure

Similar to AWS, Azure also offers Compute SLAs (as well as SLAs for containers, databases, Internet of Things, etc.) to guarantee certain uptime percentages. Monthly uptime percentage is calculated as (maximum available minutes - downtime) / (maximum available minutes * 1000), where maximum available minutes is defined as the total accumulated minutes during a billing month that have two or more instances deployed across two or more availability zones in the same reason. Downtime is the total number of accumulated minutes part of maximum available minutes that have no virtual machine connectivity in the region.

Azure operates in multiple data centers around the world. These data centers are grouped into geographic regions that give customers flexibility to choose where to build applications. Azure also provides availability sets, or logical groupings of VMs within a data center, that allow for application redundancy and availability. When availability sets fail, Azure provides fault domains (logical groups of underlying hardware that share common power sources and network switches) to limit the impact of potential physical hardware failures, network outages, or power interruptions.

Figure 8: An overview of the Azure Compute SLA.

Google Cloud Platform Google’s Compute SLA defines “covered service” as instances and load balancing hosted as part of the Google Compute Engine Service. “Downtime” is defined separately for instances and load balancing, but in short, it refers to loss of external connectivity (except as a result of a VPN service failing to serve traffic). A “downtime period” is a period of one or more consecutive downtime minutes; partial minutes are not counted. Similar to Amazon and Microsoft, financial credits are available for users who experience downtime and report this to Google technical support within thirty days of the incident.

Google offers regions and zones to run resources in a way that effectively handles failures and decreases network latency. A region is a specific geographical location where resources are run; regions comprise one or more zones. When resources are distributed across multiple zones and regions, outages are more easily tolerated, thus offering high availability at all times.

Expenses

Regardless of the industry, executives are not keen on paying more than they have to. When the cloud was reaching widespread adoption, this was much more of an issue. Companies overestimated their needs, and cloud providers required upfront purchases of storage space for definite periods of time rather than offering the “pay as you go” model. The latter has become the standard for cloud providers now, which has led the cloud to become the arguably most cost-efficient method of application hosting and data storage. Enterprises are now able to shift capital expenditure to operating expenditure, leverage economies of scale, and not waste money on over-provisioned resources.

The following section explores the various pricing models of today’s leading cloud service providers, and how these providers help customers better manage their cloud expenses.

Figure 9: Cost benefits of the cloud.

Amazon Web Services

Amazon offers a “pay as you go” pricing approach for over 100 cloud services. For businesses that are able to accurately estimate necessary computing power, further savings are available with reserved instances. EC2 (Amazon VMs) and RDS (relational database) reserved instances allow users to save up to 75% over equivalent on-demand capacity. These reserved instances also offer greater discounts for upfront payments. Should a business need heavy computing power for only a short period of time, the Amazon EC2 Spot market also offers steep discounts. Compared to on-demand pricing, bidding on available instances can reduce operating costs by up to 90%.

AWS CloudWatch, Trusted Advisor, and Cost Explorer also allow for advanced monitoring and cost analysis of services. CloudWatch tracks metrics, monitors log files, and sets alarms that can automatically react to changes in resources (including when certain billing thresholds are passed). Trusted Advisor assists in provisioning resources that follow best practices and thereby improve performance, increase security, and cut excessive costs. Cost Explorer, as the name suggests, gives in-depth reports analyzing cost and usage throughout the AWS platform.

Figure 10: An overview of AWS Trusted Advisor.

Microsoft Azure

Like AWS, Azure offers flexible purchase and pricing options for all cloud scenarios. With reserved VM instances, customers can save up to 72% over “pay as you go” pricing with an up-front one- or three-year commitment. Additionally, Azure Hybrid Benefit allows on-premises Windows Server / SQL Server licenses to save money when migrating a few workloads or entire data centers to the cloud.

All cloud resources can also be monitored with Azure Cost Management, which is available for free to customers. Cost management offers all of the following:

• Reporting on cost and usage
• Data enrichment that categorizes resource tags
• Budgets, which allow users to create and manage both cost and usage
• Alerting capabilities on cost and usage budgets
• Recommendations that help users to eliminate idle cloud resources and correctly size cloud resources

Customers can also monitor and visualize cloud usage and costs through Azure APIs that allow for full visibility into resource consumption and costs across cloud platforms in a single, unified view. All cost management capabilities are designed to optimize cloud efficiency.

Google Cloud Platform

Google offers customer-friendly pricing; no upfront costs, “pay as you go” options, and no termination fees. Additionally, Google provides several benefits that are not found in other providers like Azure and AWS:

• Sustained use discounts save 30% off workloads that run for a significant portion of the billing month on Compute Engine and Cloud SQL
• Picking a custom configuration of CPU and memory allows users to save up to 50% compared to fixed machine types from other clouds
• GCP makes compute sizing recommendations based on usage
• GCP offers up to 80% off for workloads that can be interrupted, such as data mining and processing
• A quick estimate from GCP can calculate cloud savings
• Educational grants and startup programs by Google provide free credits for qualified parties
• Budgets and alerts are simple to create in GCP to project planning and control costs

Figure 11: An example of savings possible with Google’s custom sizing.

Conclusion

In today’s world of mobile, social, cloud, and big data analytics, speed and security are critical, and private clouds and local servers are no longer able to support these needs. Although storing data in a “public” place seems to imply compromising the integrity of company assets, this is simply not the case. Leading cloud providers such as Amazon, Microsoft, and Google have advanced infrastructure to guarantee privacy and control network access. Enterprises also fear lack of availability in the cloud, as internet connectivity is necessary to access anything stored or hosted. However, since SLAs are in place to guarantee over 99% availability for all leading providers, it is in the best interest of the provider, to keep clients’ information accessible at all times.

Lastly, while these features may sound expensive, the public cloud still offers considerable savings compared to local hosting. With security, availability, and savings that are difficult to compete with, organizations would be wise to invest in the public cloud and take full advantage of the countless benefits it offers.

About Levvel

Levvel’s Cloud Practice combines decades of traditional architecture, development, security, and infrastructure experience with a complete mastery of available and emerging cloud offerings. Our client-centric approach focuses first on understanding your business needs and goals, then selecting the right cloud technology to make you efficient, agile, and scalable. We tailor custom solutions to fit within your business processes, simultaneously reducing TCO and downtime while increasing productivity, security, ROI, and speed to market. For more information, contact hello@levvel.io.