Public cloud providers are serious about their security. Frankly, they have no choice. While initially there were countless concerns about the security of data in multi-tenant architectures and on infrastructures not directly under the enterprise's thumb, cloud providers have worked hard to assure users that their infrastructures-for-rent are just as secure as on-prem data centers, perhaps even more so. In fact, as more and more highly-regulated sectors such as healthcare, finance and defense deepen and broaden their public cloud profiles, it's clear the "Big Two" providers (AWS and Azure) have appeared convincing.
With this in mind, it's easy to overlook the fact that AWS and Azure are cloud vendors, not security vendors. This is largely why they've tried to make it obvious that their security and compliance goes only so far, and that responsibility for the rest of it falls on customers via the Shared Responsibility Model. For anyone unfamiliar with this model, it basically means AWS and Azure protect their assets (everything below the hypervisor), and the customer protects theirs (everything above the hypervisor).
But it hasn't stopped AWS and Azure from pitching cloud-native security solutions as add-ons to their public cloud services. At first blush, purchasing AWS- and/or Azure-native security seems like it has advantages. Let's break them down.
- User Experience: For users accustomed to a particular platform, this is perhaps the accidental selling point... The console is familiar, the functionality is straightforward, the user experience is reasonably curated.
- Speed: One of the drivers for cloud adoption is time-to-market, and native solutions offer very rapid time-to-functionality.
- Turn-Key: When data is retained in one place, there's no need to exit the platform to retrieve information being housed outside the platform.
- Scale: Because its built into the platform - or appears to be, anyway - , native tooling should operate at similar scale to other cloud services.
Those are definitely some out-of-the-box positives, but what's under the hood? Cloud-native security, such as AWS Guard Duty, AWS CloudWatch, or Azure Monitor, all do their machine learning based on log data. Because AWS and Azure solutions rely on logs, the insights are largely surface-level and not based on behavioral patterns. They are not going to detect everything--including unreported rogue instances. An elastic load balancer will only tell you what it logs on your behalf, not a full accounting of its behavior.
Gartner predicts that by 2022, at least 95% of cloud security failures will have occured somewhere in the customer's portion of the Shared Responsibility Model. If anything, that figure is proof that cloud providers are doing their part. The rest is up to you.