Amazon Web Services is riding high as cloud adoption swells, beating its peers while commanding the enterprise technology industry's attention. But, unlike Microsoft and Google, the cloud giant is not shining a spotlight on security.
That doesn't mean AWS is any less secure or invested in cybersecurity than its competitors, according to security researchers and analysts. But there is a perception it is less forthright than Microsoft Azure and Google Cloud in sharing insights with the cybersecurity community at large.
Security messaging at AWS leans heavily on the shared responsibility model. It promises to manage security of the cloud leaving customers to secure what's in the cloud.
The company largely shares research, threat intelligence or vulnerability and risk assessments as they pertain to AWS products. That public information, including security bulletins, is for AWS customers, first and foremost.
AWS also helps shape security governance through its participation on the Cybersecurity and Infrastructure Security Agency's advisory committee.
The cloud giant plays an active role in the cybersecurity community, but among the nearly dozen experts and analysts Cybersecurity Dive spoke to, the consensus was it’s just quiet about it.
How the trio of cloud giants is perceived on the cybersecurity front largely comes down to differences in business philosophy, according to Mauricio Sanchez, research director of network security at Dell’Oro Group.
“AWS appears to have taken the [tack] that it’s better for the bottom line to not compete on the security front, versus Microsoft and Google choosing to make it a business priority,” he said in an email.
AWS declined Cybersecurity Dive’s request to comment on how it participates in cybersecurity community discourse and the security information sharing space.
The cloud kingmaker
There’s no underselling how important AWS is to Amazon. The cloud unit generates just 16% of Amazon’s net sales, yet it's the reason Amazon remains profitable. In Q3, for the period ending Sept. 30, Amazon's larger North America and international segments operated at a loss, leaving AWS the sole reason the company turned a profit.
All told, AWS, Microsoft and Google account for two-thirds of the global cloud market, but AWS controls 34% of the market — more than the other two hyperscalers combined, according to John Dinsdale, chief analyst at Synergy Research Group. Microsoft Azure controls 21% of the public cloud market, trailed by Google Cloud’s 11%.
AWS is not trying to be a thought leader in security, said Claude Mandy, chief evangelist for data security at Symmetry Systems.
"They are a thought leader in cloud and the leader in that,” said Mandy. “They want to be synonymous with the leading cloud service provider.”
Market research firms name AWS as a key player in the global cloud security market, but the size of its security business is largely unknown. Amazon doesn’t break out security-related revenue in financial reports or filings with the Securities and Exchange Commission.
Security was only mentioned once, in passing, during the company’s most recent earnings call.
“Unfortunately, in the cybersecurity world where too often perception is more important than substance, I do think AWS gets unfairly dinged because they aren’t out to market and monetizing cloud security solutions in the same way Microsoft and Google appear to be doing,” Sanchez said.
How AWS portrays its role in cybersecurity
If one of the hyperscalers focuses on being the thought leader in cloud security and earns that distinction with persistence, there could eventually be consequences — either perceived or real — for the other two.
All three of the major cloud providers regularly host security-focused conferences and participate in industry events. And each build security into their solutions.
AWS consistently supports federal government initiatives, such as the Joint Cyber Defense Collaborative, and its leaders often join counterparts at other companies and federal cyber authorities to promote partnerships and advocate for the development of a larger cybersecurity workforce.
In August, a coalition of 18 companies introduced the Open Cybersecurity Schema Framework project, initially established by AWS and Splunk, to create a universal model for sharing data deemed essential to spot and curb cyberattacks.
AWS doesn’t hide these efforts, but it doesn’t make a big splash about it either. And that’s probably by design.
“AWS doesn’t market security because they are the market leader and consider it part of what they do,” said Zeus Kerravala, founder and principal analyst at ZK Research. "However, they could do more."
The company’s security strategy, as top executives explained in July at its security conference AWS re:Inforce, is to strike a balance between providing embedded security capabilities that require minimal customer effort and linking customers to third-party vendors that can fulfill specific needs.
AWS lists almost 20 cloud security products and features on its site, ranging from identity and access management to detection, network and application protection, data protection, incident response and compliance.
These services integrate into customers’ AWS computing environments, but further customization opportunities are available via the AWS Marketplace. A simple search for cloud security retrieved almost 4,200 results for products, including many from well-known vendors such as Palo Alto Networks, IBM Security, Check Point and CrowdStrike.
AWS leads with this developer-centric strategy, Microsoft takes an enterprise-centric approach and Google is somewhere in the middle. This strategic difference plays out to opposite extremes.
Microsoft is parlaying its long history in enterprise endpoint operating systems into cloud security and AWS offers a large marketplace, showcasing its stronger willingness to partner with third-party security vendors instead of keeping customers captive with in-house offerings, Sanchez said.
“Somewhere in the middle is Google, who up until recently didn’t appear to be swaying toward any of these two extremes,” he said.
Google’s $5.4 billion Mandiant acquisition in September “made it pretty clear that they want to be known as a security provider like Microsoft,” Sanchez said.
Security perceptions flow from different strengths
AWS’ first-mover advantage in cloud bears strengths in security capabilities. It provides a baseline of embedded security that frees most customers from worrying about anomalous activities, according to researchers and analysts.
Amazon likely hashed out security requirements for the cloud before Microsoft and Google, which are now going through trial by fire amid a more intense threat landscape, said Davis McCarthy, principal security researcher at Valtix.
Most small to medium organizations get more protection than they would otherwise develop internally with that push-button approach, but larger enterprises often have specialized requirements that necessitate customizations and sophisticated configurations.
Customized development and proactive threat hunting based on intelligence shared by a cloud provider will bolster an organization’s defenses even further.
Microsoft stands apart in that regard, partly because of its legacy in the enterprise market, by regularly sharing specific details about vulnerabilities and how they apply to enterprise environments for purposes of threat hunting and analysis.
That history and consistent public exposure with the cybersecurity community explains why many view Microsoft as the long-standing reliable source for information gathering and sharing.
The threat landscape is becoming more targeted toward the cloud and Microsoft has always been a part of that conversation, whereas AWS has not, McCarthy said. “I would expect to see more from [AWS], more leadership in that space.”