Choosing the Most Secure Cloud Service for Your Workloads
Beyond cloud security controls, selecting inherently secure cloud service types can significantly reduce risk.
Most conversations about cloud security focus on techniques that can help secure almost any type of cloud service — such as using Identity and Access Management (IAM) policies to restrict access or configuring cloud networks to mitigate risks.
But there's another way to approach cloud security: by choosing the most secure type of cloud services for deploying workloads. While implementing the right types of cloud security controls across services is also critical, selecting the most secure cloud services for a given workload is also essential.
What Are the Different Types of Cloud Services?
When I talk about choosing from among varying cloud services, I'm referring to the different categories of cloud services, such as:
Managed cloud servers, available through services like Amazon EC2 and Azure Virtual Machines.
Serverless functions from services like AWS Lambda and Google Cloud Serverless.
Containers, which can be deployed in self-managed fashion or via fully managed services like Fargate or Google Kubernetes Engine (GKE).
I'm not, for the record, talking about higher-order categories of clouds — IaaS, PaaS, and SaaS. Nor am I thinking of public versus private versus hybrid cloud. These are cloud deployment models or architectures rather than specific types of services that you might encounter within a given cloud. There's much to say about the security pros and cons of each of these approaches to configuring a cloud environment or choosing a cloud delivery model, but that's fodder for another day's article.
Related:SASE Update: Why Enterprises Are Reopening their Wallets
Comparing the Security Advantages of Cloud Services
Each of the major cloud services has various strengths and weaknesses from a security standpoint.
1. Managed cloud servers
Managed cloud servers offer the security benefit of being relatively simple to configure and operate. Simplicity breeds security because the fewer variables you have to work with, the lower the risk of making a mistake that will lead to a breach.
On the other hand, managed cloud servers are subject to a relatively large attack surface. Threat actors could target multiple components, including the operating systems installed on server instances, individual applications, and network-facing services.
If you configure your cloud servers in a minimalist fashion — meaning you avoid installing anything they don't strictly need to run — they are likely to be quite secure. But those running unnecessary services may be ripe for attack.
2. Serverless functions
Arguably, serverless functions are overall the most secure type of cloud service. This is mainly due to their minimal attack surface. As long as the code inside functions is secure, and as long as admins lock down access to functions with proper IAM policies, there's not much attackers can do to hack serverless.
Admittedly, attackers could target the back-end infrastructure, but that is managed by the cloud provider. Because serverless functions are isolated from the underlying infrastructure, vulnerabilities in the functions themselves typically won't compromise the host environment.
That said, the consequences could be severe if serverless functions are hacked. Not only will attackers be able to access any resources accessible to the functions, but because serverless functions often cost a lot of money to run, they could also run up a high cloud computing bill for their victims.
3. Containers
If you deploy containers using a managed service like AWS Fargate or GKE, you get many of the same security advantages as you enjoy when using serverless functions: The only vulnerabilities and misconfigurations you have to worry about are ones that impact your containers. The cloud provider bears responsibility for securing the host infrastructure.
This isn't true, however, if you deploy containers on infrastructure that you manage yourself — by, for example, creating a Kubernetes cluster using nodes hosted on EC2. In that case, you end up with a broad and complex environment, making it quite challenging to secure.
Note, too, that containers tend to be complex. A single container image could include code drawn from many sources. It may also include any number of configuration settings. All of this creates opportunities for mistakes that lead to container security breaches.
Conclusion: Choosing the Most Secure Cloud Service Type
Above, we compared cloud service types only from the perspective of security. There are many other pros and cons to weigh, of course — such as cost, scalability, and management complexity — for each category of service.
The goal of every organization should be to determine which type of service offers the best value overall. But given that the inherent security advantages and drawbacks of various cloud services aren't always a primary consideration, it's perhaps worth thinking more deeply from that perspective when choosing how to deploy workloads in the cloud.
About the Author
Technology analyst, Fixate.IO
Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, "For Fun and Profit: A History of the Free and Open Source Software Revolution ," was published by MIT Press.
You May Also Like