Securing Cloud Data - AWS and Azure Security Part II
Direct answer: Securing cloud data across AWS and Azure requires control coverage across architecture, data, platform, application, operations, and compliance, plus encryption for both data at rest and data in transit.
In Part I, we discussed the security triad in the context of cloud data security: data-at-rest encryption for confidentiality, data-in-transit encryption for integrity, and high availability/failover for availability.
This Part II article focuses on core AWS and Azure security concepts to help security reviewers, auditors, and risk management teams evaluate cloud data protection choices.
Cloud risk is similar to traditional IT risk, but the service model, shared responsibilities, operating model, and technology stack change how controls are designed and validated through risk-based controls.
What cloud security domains should reviewers prioritize?
Cloud security reviews should cover these core domains:
- Architectural Concepts & Design Requirements
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Operations
- Legal & Compliance
A full domain-by-domain deep dive is extensive, but understanding these key areas gives auditors and risk teams a practical baseline for AWS and Azure assessments.
What AWS and Azure storage options support backup and recovery?
AWS provides block, file, and object storage options for backup, archiving, and disaster recovery use cases. Amazon S3 enables read/write data access through a simple web service interface. The figure below summarizes common AWS and Azure data storage choices.
How does AWS protect data at rest and in transit?
Amazon S3 supports access control and encryption. Data at rest can be protected with server-side encryption, where objects are encrypted before storage. Data in transit can be protected using SSL or client-side encryption. AWS storage-related services include Amazon S3, Amazon Glacier, Amazon EFS, Amazon EBS, Amazon EC2, AWS Storage Gateway, AWS Snowball, and Amazon CloudFront with strong access controls.
How does Azure protect data at rest and in transit?
Azure Storage includes Azure Blobs, Azure Data Lake Storage Gen2, Azure Files, Azure Queues, and Azure Tables. Blob storage is optimized for unstructured data. Data written to Azure Storage, including metadata, is encrypted using Storage Service Encryption (SSE). Azure AD with RBAC supports identity and access control. Data in transit can be protected with client-side encryption, HTTPS, or SMB 3.0, and Azure Disk Encryption can be used for VM OS and data disks.
Key Takeaways
- Cloud data protection in AWS and Azure should be reviewed across architecture, data, platform, application, operations, and compliance domains.
- Both providers support encryption at rest and in transit, but control implementation differs by service design and operations model.
- Audits should verify encryption method, access control model, and storage service usage against risk and compliance requirements.
- Storage selection for backup, archiving, and disaster recovery must include security control validation, not just performance and cost.
Related Resources
Related Posts
Is Your Business Prepared? Key Steps for Disaster Recovery & Continuity Certification
But how does it relate to Disaster Recovery (DR), and why are they often misunderstood or misaligned? Let's break it down:
Read More
Artificial Intelligence Governance Part I
It's becoming increasingly clear that most new cybersecurity products involve some form of machine learning (ML) or artificial intelligence (AI).
Read More
How Can We Prevent, Detect, and Recover from Cyberattacks?
A thorough investigation of cyberattacks underscores the considerable damage these incidents can cause. Below are several key points that can help organizations identify potential threat actors.
Read More
GRC Insights That Matter
Exclusive updates on governance, risk, compliance, privacy, and audits — straight from industry experts.