BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Google and AWS take measures to protect customers' data from prying eyes, but AWS cloud security goes a few steps further.
Both vendors offer AES 128-bit encryption of data at rest as well as some identity and access management, but have vastly different approaches to each.
"As far as public clouds go, Amazon provides a very deep level of security," said Jim O'Neill, CIO at HubSpot, an online marketing firm based in Cambridge, Mass. Even when there have been security issues, such as the recent need for an AWS reboot because of a vulnerability in the Xen hypervisor, Amazon has been communicative and proactive about it, O'Neill said.
As for regulatory compliance, Google has its work cut out for it, according to analysts.
"They're well behind in terms of certifications, and compliance audits that are necessary to meet enterprise market needs," said James Staten, analyst with Forrester Research, based in Cambridge, Mass.
Cloud security beyond encryption
Most of what Google offers for cloud security is accessed through its App Engine platform as a service (PaaS) rather than its Compute Engine infrastructure as a service. All data at rest in Google Compute Engine is encrypted, and Google holds the keys; Google officials say keys are destroyed securely when customers leave and that access to keys is carefully restricted.
Google also offers some Python APIs that can be used by apps designed on App Engine for identity and access management as well as for user authentication. However, some of the APIs are at the experimental stage, and role-based access to the underlying Compute Engine isn't available yet.
Jim O'NeillCIO at HubSpot
"The good thing they've done with Compute Engine is that they've allowed you to bring your own encryption, bring your own security agents and tools and so forth," Staten said. Otherwise, developers who want to "check a box" and get security features managed for them have to go through App Engine to get Google's own security features, from encryption to identity and access management for authorized users.
Meanwhile, Amazon Web Services (AWS) offers several discrete secondary cloud security services, including identity and access management for identity federation; CloudHSM for user-controlled key management in the cloud; CloudTrail for audit logging; user-controlled encryption on the Simple Storage Service; and AWS-controlled encryption on the Elastic Block Store. All Elastic Compute Cloud instances are also launched into the Amazon Virtual Private Cloud networking construct by default.
AWS boasts numerous compliance certifications
Amazon holds the edge with almost every compliance certification under the sun, while Google has work to do.
Google was recently awarded a new ISO 27001 certificate, as well as SOC 2 and SOC 3 Type II audits. These are the most widely recognized independent security compliance reports; Google is also willing, like AWS, to sign business associate agreements with organizations working under the Health Insurance Portability and Accountability Act.
AWS has these qualifications and many more. Its GovCloud region boasts compliance certification with the International Trade in Arms Regulation, one of the strictest U.S. federal government regulations, and the Department of Defense has certified AWS for use with all but classified data sets, to name a few.
"Amazon's got pretty much all [certifications] covered -- they're at the point where they're guiding some of the consulting teams in other industries about what their compliance rules should look like," Staten said.
Enterprises and ecosystems
AWS also has the upper hand in terms of the ecosystem of software partners that surrounds it in security as well as other areas, Staten said.
"Amazon clearly has just ridiculous amounts of experience here in terms of the breadth of services it's provided, the breadth of workloads it's had to run and support on the platform as well as the time to build out a massive ecosystem of partners and ISVs that makes that market so attractive," Staten said.
There are more than 1,800 products in the AWS Marketplace, compared with approximately 100 Google Cloud Platform partners. Included in the AWS Marketplace are a number of third-party key management software offerings that can serve as an alternative to AWS's native security services.
This gives AWS credibility with enterprises that look to migrate traditional workloads to the cloud, rather than develop new ones using PaaS, according to Staten.
"Google has been slow to truly understand the enterprise, how different they are and how much they expect that smaller businesses and startups don't expect from a support perspective, from a negotiating perspective and so on," he said. "AWS was relatively naïve to this early on as well but has now had two and a half years to work on the problem."
Amazon's work is not done, however.
For example, while Amazon gives users the option of controlling encryption keys for its Simple Storage Service (S3), there are tradeoffs when encryption is done this way, according to Ed Abrams, principal software architect for SynapDx Corp., a biotech research firm based in Lexington, Mass.
If a user opts for client-side encryption in which they control the keys, Abrams said, it means they won't be able to edit the metadata on S3 objects or use ETags to verify the integrity of S3 objects as they're moved around from place to place.
Abrams also praised AWS's CloudTrail, but said he's still waiting for that service to support the company's DynamoDB NoSQL database service. "So it's a fledgling great idea," Abrams said. "I imagine it's improving, but today it seems like a very early step in the right direction."