Mapping On Prem Cloud v4
Mapping On Prem Cloud v4
Mapping On Prem Cloud v4
-AWS : Security group acts as a virtual firewall for your instance to control
inbound and outbound traffic. When you launch an instance in a VPC, you can
assign up to five security groups to the instance. Security groups act at the
instance level, not the subnet level. Therefore, each instance in a subnet in
your VPC can be assigned to a different set of security groups.
Network ACLs act as a firewall for associated subnets, controlling both
inbound and outbound traffic at the subnet level. For more information
-AZURE :
You can use a Azure network security group to filter network traffic to and from
Azure resources in an Azure virtual network. A network security group
contains security rules that allow or deny inbound network traffic to, or
outbound network traffic from, several types of Azure resources. For each
rule, you can specify source and destination, port, and protocol.
-ORACLE :
Security lists act as virtual firewalls for your compute instances and other
kinds of resources. A security list consists of a set of ingress and egress
security rules that apply to all the VNICs in any subnet that the security list is
associated with.
-IBM :
Cloud Security Groups : is a set of IP filter rules that define how to handle
incoming (ingress) and outgoing (egress) traffic to both the public and private
interfaces of a virtual server instance.
-ALIBABA :
NAT gateway enables multiple instances within a virtual private cloud (VPC) to
communicate with the Internet. Custom SNAT and DNAT rules can be created
to help use network resources in a flexible manner.
NAT Gateway offers high performance, automatic elasticity, and flexible billing
options with extensive O&M features.
IPS/IDS :
-ALIBABA :
For alibaba anti-bot service works as an intrustion detection and prevention
systems.
Anti-Bot Service provides comprehensive bot defense for Web applications,
HTML5 websites, mobile apps, and APIs. It can effectively reduce the risks
caused by specific vulnerabilities.
We can use Anti-Bot Service in the following scenarios: flight seating
occupancy, online scalping, user enumeration, and core API exploitation.
Anti-Bot Service is a reverse proxy technology based SaaS solution that
allows you to specify custom protection policies to identify and control
malicious traffic.
Using AWS Firewall Manager, you can easily roll out AWS WAF rules for
your Application Load Balancers, API Gateways, and Amazon CloudFront
distributions. You can create AWS Shield Advanced protections for your
Application Load Balancers, ELB Classic Load Balancers, Elastic IP
Addresses and CloudFront distributions. You can also configure new Amazon
Virtual Private Cloud (VPC) security groups and audit any existing VPC
security groups for your Amazon EC2, Application Load Balancer (ALB) and
ENI resource types. You can deploy AWS Network Firewalls across accounts
and VPCs in your organization. Finally, with AWS Firewall Manager, you can
also associate your VPCs with Amazon Route 53 Resolvers DNS Firewall
rules.
-AZURE :
Azure Application Gateway is a web traffic load balancer that enables you to
manage traffic to your web applications.
● Features
○ Secure Sockets Layer (SSL/TLS) termination
○ Autoscaling
○ Zone redundancy
○ Static VIP
○ Web Application Firewall
○ URL-based routing
○ Redirection
○ Session-affinity
-GOOGLE :
Benefit from DDoS protection and WAF at Google scale
Detect and mitigate attacks against your Cloud Load Balancing workloads
Adaptive Protection (Preview) ML-based mechanism to help detect and block
Layer 7 DDoS attacksMitigate OWASP Top 10 risks and help protect
workloads on-premises or in the cloud.
Bot management to stop fraud at the edge through native integration with
reCAPTCHA Enterprise
-ORACLE Dyn WAF:
-IBM :
Cloud Internet Services : is a simple set of edge network services for customers
looking to secure their internet-facing applications from DDoS attacks, data
theft and bot attacks, as well as for those customers needing to optimize their
web applications, or ensure global responsiveness and the ongoing availability
Alibaba Cloud WAF is a Stable, and End-to-end Solution to the Major Security
Pain Points of Web Applications.It’s professional, timely, comprehensive,
compliant and exclusive threat intelligence.
SIEM & Log Analytics :
-AWS : AWS Security Hub provides you with a comprehensive view of your
security state in AWS and helps you to check your environment against
security industry standards and best practices. Security Hub collects security
data from across AWS accounts, services, and supported third-party partner
products and helps you to analyze your security trends and identify the
highest priority security issues.
Amazon GuardDuty is a threat detection service that continuously monitors
your AWS accounts and workloads for malicious activity and delivers detailed
security findings for visibility and remediation.
The Amazon GuardDuty integration with Security Hub enables you to send
findings from GuardDuty to Security Hub. Security Hub can then include
those findings in its analysis of your security posture.
-AZURE :
Microsoft Azure Sentinel is a scalable, cloud-native, security information event
management (SIEM) and security orchestration automated response (SOAR)
solution. Azure Sentinel delivers intelligent security analytics and threat
intelligence across the enterprise, providing a single solution for alert
detection, threat visibility, proactive hunting, and threat response.
● Features
○ Collect data at cloud scale across all users, devices, applications,
and infrastructure, both on-premises and in multiple clouds.
○ Detect previously undetected threats, and minimize false
positives using Microsoft's analytics and unparalleled threat
intelligence.
○ Investigate threats with artificial intelligence, and hunt for
suspicious activities at scale, tapping into years of cyber security
work at Microsoft.
○ Respond to incidents rapidly with built-in orchestration and
automation of common tasks.
Azure Monitor helps you maximize the availability and performance of your
applications and services. It delivers a comprehensive solution for collecting,
analyzing, and acting on telemetry from your cloud and on-premises
environments.
● Features
○ Detect and diagnose issues across applications and
dependencies with Application Insights.
○ Correlate infrastructure issues with VM insights and Container
insights.
○ Drill into your monitoring data with Log Analytics for
troubleshooting and deep diagnostics.
○ Support operations at scale with smart alerts and automated
actions.
-GOOGLE :
Metrics, logs, and traces are automatically collected and made available in the
Console End-to-end monitoring with Cloud Monitoring and a managed service
(in Preview) for Prometheus
Analyze logs with Logs Explorer and perform advanced queries with Log
Analytics (in Preview)
Create and monitor service-level objectives (SLOs) as part of your SRE
strategy
Alert on metrics and logs to quickly take corrective actions
-ORACLE :
The core functionality of Oracle Security Monitoring and Analytics is around
cyber security, providing you with IT solutions in the form of anomaly detection
and investigations, and remediation of the broadest range of security threats
across on-premises and cloud IT assets.
● Real-time threat detection based on rules and patterns
● Advanced threat analytics and visualization
● Enhanced Security Monitoring with Oracle Management Cloud Platform
● Collecting Operating System Logs from Your Host Platforms
-IBM :
-ALIBABA :As for a SIEM and log analytics alibaba uses action trail which is
a solution that tracks your Alibaba Cloud account actions and records them as
events to facilitate auditing. ActionTrail allows to deliver these events to the
specified Log Service Logstores and Object Storage Service (OSS) buckets. it
can also query and download the recorded events. Then, perform behavior
analysis, security analysis, and compliance auditing and track resource
changes based on the events.
ActionTrail records the actions you take in the Alibaba Cloud Management
console or by calling API operations and the actions triggered by Alibaba
Cloud services when these services assume RAM roles. When an action is
taken, ActionTrail tracks and records the action in ten minutes.
Antimalware :
-AZURE :
Azure security center : Security posture management and threat protection for
your hybrid cloud workloads
● Features
○ Protect your Azure and hybrid resources
○ Strengthen the security posture of cloud workloads
○ Protect hybrid cloud workloads with Azure Defender
○ Streamline security management
The cloud protection center receives ECS security event and threat data from
all the agents in the network and uses a cloud-based multi-threat recognition
model to analyze each reported security event.
With the Server Guard App, you can check on the security status of your ECS
instance anytime, anywhere. It also allows you to quickly handle security
threats to your ECS.
Data Loss Prevention (DLP) :
-AWS : Amazon Macie is a powerful security and compliance service that
provides an automatic method to detect, identify, and classify data within your
AWS account. Macie currently supports Amazon S3 storage, however
additional support for other storage systems will be developed and added over
time. Backed by machine learning, Macie can actively review your data as
different actions are taken within your AWS account. Machine learning spots
access patterns and analyzes user behaviour using CloudTrail event data to
alert against any unusual or irregular activity. Any findings are presented
within a dashboard which can trigger alerts allowing you to quickly resolve any
potential threat of exposure or compromise to your data.
-AZURE :
Azure information protection Control and help secure email, documents and
sensitive data that you share outside your company. From easy classification
to embedded labels and permissions, enhance data protection at all times with
Azure Information Protection – regardless of where it’s stored or who it’s
shared with.
● Features
○ Classify your data based on sensitivity
○ Protect your data at all times
○ Add visibility and control
○ Collaborate more securely with others
○ Deployment and management flexibility
-GOOGLE :
● Take charge of your data on or off cloud
● Gain visibility into sensitive data risk across your entire organization
● Reduce data risk with obfuscation and de-identification methods like
masking and tokenization
● Seamlessly inspect and transform structured and unstructured data
-ALIBABA :Alibaba Cloud offers data loss prevention (DLP) capabilities to
ensures that sensitive data is not lost or accessed by unauthorized users.
Among others, this includes data masking algorithms to automatically
generate masked data to conform to local regulatory requirements.
Key Management :
-AWS : AWS Key Management Service (KMS) makes it easy for you to
create and manage cryptographic keys and control their use across a wide
range of AWS services and in your applications. AWS KMS is a secure and
resilient service that uses hardware security modules that have been validated
under FIPS 140-2, or are in the process of being validated, to protect your
keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of
all key usage to help meet your regulatory and compliance needs.
-AZURE :
Key Vault : Safeguard cryptographic keys and other secrets used by cloud
apps and services
● Features
○ Increase security and control over keys and passwords
○ Create and import encryption keys in minutes
○ Use FIPS 140-2 Level 2 and Level 3 validated HSMs
○ Applications have no direct access to keys
○ Reduce latency with cloud scale and global redundancy
-GOOGLE :
Deliver scalable, centralized, fast cloud key management
• Help satisfy compliance, privacy, and security needs
• Apply hardware security modules (HSMs) effortlessly to your most
sensitive data
• Use an external KMS to protect your data in Google Cloud and separate
the data from the key
• Approve or deny any request for your encryption keys based on clear and
precise justifications
-ORACLE :
Store keys in a certified security module:
Manage the security of encryption keys by storing them in a FIPS 140-2, Level
3-certified, hardware security module (HSM).
-IBM :
Key Protect Cloud Security :
Key Protect is a cloud-based security service that provides lifecycle management for
encryption keys that are used in IBM Cloud services or in your applications. Log in to
IBM Cloud. In the IBM Cloud catalog, open the Key Protect service page and create
an instance of the service.
-ALIBABA :Alibaba Cloud Key Management Service (KMS) provides secure
and compliant key management and cryptography services to help you
encrypt and protect sensitive data assets. KMS is integrated with a wide range
of Alibaba Cloud services to allow you to encrypt data across the cloud and to
control its distributed environment.
KMS provides key usage logs via ActionTrail, supports custom key rotation,
and provides HSMs that have passed FIPS 140-2 Level 3 or other relevant
validation, to help you meet your regulatory and compliance needs.
Features:
Rather than encrypting your entire drive, you use EFS to encrypt individual
files and directories, one by one. ... The encryption key is stored in the
operating system itself rather than using a computer's TPM hardware, and it's
possible an attacker could extract it.
-AZURE :
Azure Storage encryption is enabled for all storage accounts, including both
Resource Manager and classic storage accounts. Azure Storage encryption
cannot be disabled. Because your data is secured by default, you don't need
to modify your code or applications to take advantage of Azure Storage
encryption.
-GOOGLE :
Use Google's core infrastructure, data analytics, and machine learning
-ORACLE :
The Oracle Cloud Infrastructure Block Volume service always encrypts all
block volumes, boot volumes, and volume backups at rest by using the
Advanced Encryption Standard (AES) algorithm with 256-bit encryption. By
default all volumes and their backups are encrypted using the Oracle-provided
encryption keys.
-IBM :
Hyper Protect Crypto Services : is a dedicated key management services and
hardware security module (HSM) - using FIPS 140-2 Level 4 certified hardware. The
same state of the art cryptographic technology relied upon by banks and financial
services is now offered to cloud users via IBM Cloud.
-ALIBABA :For encryption at rest allibaba uses Object Storage Service
(OSS), it’s a secure, cost-effective, and high-durability cloud storage service
provided by Alibaba Cloud. It enables you to store large amounts of data in
the cloud. OSS is designed for 99.9999999999% (twelve 9's) data durability
and 99.995% service availability.
OSS supports RESTful API operations that are independent of the OSS
console. You can store and access data from all applications anytime and
anywhere.
You can call API operations and use SDKs or OSS migration tools provided by
Alibaba Cloud to transfer large amounts of data to and from Alibaba Cloud
OSS. You can use OSS buckets of the Standard storage class to store image,
audio, and video objects for apps and websites.
DDoS Protection :
-AWS : In addition to the network and transport layer protections that come
with Standard, AWS Shield Advanced provides additional detection and
mitigation against large and sophisticated DDoS attacks, near real-time
visibility into attacks, and integration with AWS WAF, a web application
firewall. AWS Shield Advanced also gives you 24x7 access to the AWS Shield
Response Team (SRT) and protection against DDoS related spikes in your
Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB),
Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
-AZURE :
Every property in Azure is protected by Azure's infrastructure DDoS (Basic)
Protection at no additional cost. The scale and capacity of the globally
deployed Azure network provides defense against common network-layer
attacks through always-on traffic monitoring and real-time mitigation. DDoS
Protection Basic requires no user configuration or application changes. DDoS
Protection Basic helps protect all Azure services, including PaaS services like
Azure DNS.
-GOOGLE :
Cloud Armor benefits from our experience of protecting key internet properties
such as Google Search, Gmail, and YouTube. It provides built-in defenses
against L3 and L4 DDoS attacks.
-ORACLE :
DDoS Protection is an always-on detection and mitigation platform for
common DDoS volumetric attacks. This built-in service protects against
common layer 3 and 4 attacks like SYN floods, UDP floods, ICMP floods, and
NTP Amplification attacks.
-IBM :
-ALIBABA :
For DDoS protection alibaba uses anti-DDoS which is a free Distributed
Denial of Service (DDoS) protection service that safeguards data and
applications.
Anti-DDoS Basic prevents and mitigates DDoS attacks by routing traffic away
from your infrastructure. This service guarantees availability and performance
of your properties on Alibaba Cloud. It also provides enhanced visibility and
control over your security. As a global service from Alibaba Cloud Security,
Anti-DDoS Basic functions with 5Gbps capacity of DDoS mitigation against
common DDoS attacks.
Features:
Email Protection :
-AZURE :
Microsoft Defender for Office 365 Protect all of Office 365 against advanced
threats like business email compromise and credential phishing. Automatically
investigate and remediate attacks.
● Features
○ Native protection for Office 365
○ Comprehensive approach
○ Industry-leading AI and automation
-GOOGLE :
Every single email message you send or receive is encrypted while moving
between Google’s data centers. This ensures that your messages are safe not
only when they move between your devices and Gmail’s servers, but also as
they move internally within Google. We were also the first to let users know
when their email was sent insecurely across providers with the introduction of
our TLS indicator
SSL Decryption Reverse Proxy :
-AWS : Elastic Load Balancing automatically distributes your incoming traffic
across multiple targets, such as EC2 instances, containers, and IP addresses,
in one or more Availability Zones. It monitors the health of its registered
targets, and routes traffic only to the healthy targets. Elastic Load Balancing
scales your load balancer as your incoming traffic changes over time. It can
automatically scale to the vast majority of workloads.
-AZURE :
Transport Layer Security (TLS), previously known as Secure Sockets Layer
(SSL), is the standard security technology for establishing an encrypted link
between a web server and a browser. This link ensures that all data passed
between the web server and browsers remain private and encrypted.
Application gateway supports both TLS termination at the gateway as well as
end to end TLS encryption.
● Features
○ Better utilization of the backend servers – SSL/TLS processing is
very CPU intensive, and is becoming more intensive as key sizes
increase. Removing this work from the backend servers allows
them to focus on what they are most efficient at, delivering
content.
○ Intelligent routing – By decrypting the traffic, the application
gateway has access to the request content, such as headers,
URI, and so on, and can use this data to route requests.
○ Certificate management – Certificates only need to be purchased
and installed on the application gateway and not all backend
servers. This saves both time and money.
○
-GOOGLE :
HTTP(S) load balancing can balance HTTP and HTTPS traffic across multiple
backend instances, across multiple regions. Your entire app is available via a
single global IP address, resulting in a simplified DNS setup. HTTP(S) load
balancing is scalable, fault-tolerant, requires no pre-warming, and enables
content-based load balancing. For HTTPS traffic, it provides SSL termination
and load balancing.
-IBM :
-ALIBABA :
Endpoint Protection :
-AZURE :
Microsoft Defender for Endpoint is an enterprise endpoint security platform
designed to help enterprise networks prevent, detect, investigate, and respond
to advanced threats.
● Features
○ Attack surface reduction
○ Next generation protection
○ endpoint detection and response
○ automated investigation and remediation
○ Microsoft secure score for devices
-ALIBABA :
For endpoint protection uses Server Guard which is a free host security
software system. It provides functions such as host vulnerability detection,
baseline check, virus scan and removal, and unified asset management.
Certificate Management :
-AWS : AWS Certificate Manager is a service that lets you easily provision,
manage, and deploy public and private Secure Sockets Layer/Transport Layer
Security (SSL/TLS) certificates for use with AWS services and your internal
connected resources. SSL/TLS certificates are used to secure network
communications and establish the identity of websites over the Internet as well
as resources on private networks. AWS Certificate Manager removes the
time-consuming manual process of purchasing, uploading, and renewing
SSL/TLS certificates.
-AZURE :
Azure Key Vault enables Microsoft Azure applications and users to store and
use certificates, which are built on top of keys and secrets and add an
automated renewal feature.
-IBM :
Certificate Manager : With IBM Certificate Manager, you can store and
centrally manage your certificates within a secure repository.
-ALIBABA :
Container Security :
-AWS : Amazon ECS is a fully managed container orchestration service that
makes it easy for you to deploy, manage, and scale containerized
applications.
-AZURE :
Azure Container Instances is a service that enables a developer to deploy
containers on the Microsoft Azure public cloud without having to provision or
manage any underlying infrastructure. ... According to Microsoft, ACI reduces
management overhead, so a developer can deploy a container on Azure
within seconds.
Accelerate your containerized application development without compromising
security
-GOOGLE :
● Container-Optimized OS
● Node upgrades
● Protecting nodes from untrusted workloads
● Securing your workloads
-ORACLE :
control the operations that pods are allowed to perform on a cluster you've created
with Container Engine for Kubernetes by setting up pod security policies for the
cluster. Pod security policies are a way to ensure that pods meet security-related
conditions before they can be accepted by a cluster. For example, you can use pod
security polices to:
-IBM :
Containers - Trusted Compute :A container is a unit of deployable software
that provides isolation at the process level. Each application, together with its
environment, can run in an isolated environment and can automate the
deployment, scaling, and management of containerized applications.
-ALIBABA :
In alibaba, Container Registry allows you to manage images throughout the image
lifecycle. It provides secure image management, stable image build creation across
global regions, and easy image permission management.
This service simplifies the creation and maintenance of the image registry and
supports image management in multiple regions. Combined with other cloud
services such as Container Service, Container Registry provides an optimized
solution for using Docker in the cloud.
Identity and Access Management :
-AWS : AWS Identity and Access Management (IAM) enables you to
manage access to AWS services and resources securely. Using IAM, you can
create and manage AWS users and groups, and use permissions to allow and
deny their access to AWS resources.
-AZURE :
Azure Active Directory : universal platform to manage and secure identities
● Features
○ Integrate identity into your apps
○ Engage with your customers and partners
○ Protect and govern access
-GOOGLE :
● Single access control interface
● Fine-grained control
● Automated access control recommendations
● Context-aware access
● Flexible roles
● Web, programmatic, and command-line access
-ORACLE :
● Maintain visibility and control
● Enable diverse IT operational workflows using identity policies
● Components:resource, user, group, dynamic group, network source,
compartment, tenancy, policy, home region, federation
-IBM :
Cloud IAM App ID : With IBM Cloud App ID and IBM Cloud Identity and
Access Management (IAM), account owners can manage user access in your
account.
As an account owner, you can set policies within your account to create
different levels of access for different users. For example, certain users can
have Read only access to one instance, but Write access to another. You can
decide who is allowed to create, update, and delete instances of App ID.
-ALIBABA :
Privileged Access
Management (PAM) :
-AZURE :
Privileged Identity Management (PIM) is a service in Azure Active Directory
(Azure AD) that enables you to manage, control, and monitor access to
important resources in your organization. These resources include resources
in Azure AD, Azure, and other Microsoft Online Services such as Microsoft
365 or Microsoft Intune. The following video introduces you to important PIM
concepts and features.
● Features
○ Provide just-in-time privileged access to Azure AD and Azure
resources
○ Assign time-bound access to resources using start and end dates
○ Require approval to activate privileged roles
○ Enforce multi-factor authentication to activate any role
○ Use justification to understand why users activate
You can enable MFA for your AWS account and for individual IAM users you
have created under your account. MFA can be also be used to control access
to AWS service APIs.
-AZURE :
Azure AD Multi-Factor Authentication works by requiring two or more of the following
authentication methods:
● Something you know, typically a password.
● Something you have, such as a trusted device that is not easily duplicated, like a
phone or hardware key.
● Something you are - biometrics like a fingerprint or face scan.
Azure AD Multi-Factor Authentication can also further secure password reset. When users
register themselves for Azure AD Multi-Factor Authentication, they can also register for
self-service password reset in one step.
-GOOGLE :
-ORACLE :
With MFA enabled in the IAM service, when a user signs in to Oracle Cloud
Infrastructure, they are prompted for their username and password, which is
the first factor (something that they know). The user is then prompted to
provide a second verification code from a registered MFA device, which is the
second factor (something that they have). The two factors work together,
requiring an extra layer of security to verify the user’s identity and complete
the sign-in process.
-IBM :
-ALIBABA :
different systems.
-AZURE :
With the audit logs in Azure AD, you get access to records of system activities for
compliance. The most common views of this log are based on the following categories:
● User management
● Group management
● Application management
-GOOGLE :
● Network monitoring
● Optimizing network usage and egress
● Network forensics and security analytics
● Real-time security analysis
-ORACLE :
● Captures state changes of resources:Time the API activity
occurred,Source of the activity,Target of the activity,Type of action,Type
of response
● Better tracking of long running APIs
● Provides troubleshooting information in logs
-IBM :
Log analysis and Cloud activity tracker : is your source for activity events
recorded within IBM Cloud. Activity events are records of the API calls to
services on the IBM Cloud and produces the evidence to comply with
corporate policies and market industry-specific regulations.
-ALIBABA :
For centralized auditing, Alibaba uses log service.
Log Service can collect logs from multiple types of Alibaba Cloud services,
such as elastic computing, storage, security, and database services. The logs
record operational statistics, such as user operations, running statuses, and
business dynamics of Alibaba Cloud services.
Deploys reliable high-availability service nodes in data centers around the world.
Fully supports real-time and offline computing, and seamlessly connects to Alibaba
Cloud software, open-source software, and commercial software. You can set the
access permissions for individual rows so that the same report is displayed
differently for each user role.
Load Balancer :
-AWS : Classic Load Balancing. This more closely resembles traditional load
balancing, but virtual devices replace physical hardware to evenly distribute
your incoming requests and ensure clean, fast user experience.
-AZURE :
Azure Load Balancer operates at layer 4 of the Open Systems Interconnection (OSI) model.
It's the single point of contact for clients. Load balancer distributes inbound flows that arrive
at the load balancer's front end to backend pool instances.
A public load balancer can provide outbound connections for virtual machines (VMs) inside
your virtual network.
An internal (or private) load balancer is used where private IPs are needed at the frontend
only.
● Feature
○ Load balance internal and external traffic to Azure virtual machines.
○ Increase availability by distributing resources within and across zones.
○ Configure outbound connectivity for Azure virtual machines.
○ Use health probes to monitor load-balanced resources.
○ Employ port forwarding to access virtual machines in a virtual network by
public IP address and port.
-GOOGLE :
The external HTTP(S) load balancer offers multi-region load balancing,
directing traffic to the closest healthy backend that has capacity and
terminates HTTP(S) traffic as close as possible to your users.
-ORACLE :
● provides automated traffic distribution from one entry point to multiple
servers reachable from your virtual cloud network (VCN).
● The service offers a load balancer with your choice of a public or private
IP address, and provisioned bandwidth
● Types:
public: To accept traffic from the internet,
private: To isolate your load balancer from the internet and simplify your
security posture,
-IBM :
Cloud Load Balancer : The IBM Cloud Load Balancer service distributes traffic
among multiple server instances (bare metal and virtual server) that reside locally,
within the same data center.
-ALIBABA :
For load balancer, SLB (Server Load Balancer) distributes inbound network
traffic across multiple Elastic Compute Service (ECS) instances that act as
backend servers based on forwarding rules. You can use SLB to improve the
responsiveness and availability of your applications.
After you add ECS instances that are deployed in the same region to a SLB
instance, SLB uses virtual IP addresses (VIPs) to virtualize these ECS
instances into backend servers in a high-performance server pool that
ensures high availability. Client requests are distributed to the ECS instances
based on forwarding rules.
SLB checks the health status of the ECS instances and automatically removes
unhealthy ones from the server pool to eliminate single points of failure
(SPOFs). This enhances the resilience of your applications. You can also use
SLB to defend your applications against distributed denial of service (DDoS)
attacks.
LAN :
-AWS : Amazon Virtual Private Cloud (VPC) gives you complete control over
your virtual networking environment, including resource placement,
connectivity, and security. The first step is to create your VPC. Then you can
add resources to it, such as Amazon Elastic Compute Cloud (EC2) and
Amazon Relational Database Service (RDS) instances. Finally, you can define
how your VPCs communicate with each other across accounts, Availability
Zones (AZs), or Regions. In the example below, network traffic is shared
between two VPCs within each region.
-AZURE :
Azure Virtual Network (VNet) is the fundamental building block for your private network in
Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM),
to securely communicate with each other, the internet, and on-premises networks.
Azure virtual network enables Azure resources to securely communicate with each other, the
internet, and on-premises networks.
-GOOGLE :
A virtual private cloud (VPC) is a public cloud environment that a host isolates as part of its
resources for a specific user.
Because of the resource isolation, a VPC has a higher level of security and customization
capabilities than a public cloud. Users can create custom VPN connections, virtual LAN
(VLAN), access control lists (ACL), routing rules, subnets, private IP addresses, and more.
-ORACLE :
VCN: A virtual, private network that you set up in Oracle data centers. It
closely resembles a traditional network, with firewall rules and specific types of
communication gateways that you can choose to use. A VCN resides in a
single Oracle Cloud Infrastructure region and covers one or more CIDR blocks
-IBM :
-ALIBABA :
For LAN, Alibaba Virtual Private Cloud is a foundational cloud offering that
allows you to create private networks to host your cloud infrastructure. A VPC
is a configurable base layer tool that underpins almost every other commonly
used cloud service.
You can launch Apsara Stack resources such as Elastic Compute Service
(ECS) instances, ApsaraDB for RDS (RDS) instances, and Server Load
Balancer (SLB) instances in your VPC.
Furthermore, you can connect your VPC to other VPCs or on-premises
networks to create a custom network environment. In this way, you can
smoothly migrate applications and extend on-premises data centers to the
cloud.
WAN :
-AWS : AWS Direct Connect is a cloud service that links your network
directly to AWS, bypassing the internet to deliver more consistent,
lower-latency performance. When creating a new connection, you can choose
a hosted connection provided by an AWS Direct Connect Delivery Partner, or
choose a dedicated connection from AWS—and deploy at over 100 AWS
Direct Connect locations around the world.
-AZURE :
Azure ExpressRoute : dedicated private network fiber connections to Azure
● Features
○ Private connections to Azure
○ Increased reliability and speed
○ Lower latency
○ Bandwidth up to 100 Gbps Supported
○ Connects directly to your WAN
○ Connect your on-premises networks using the Microsoft global network
-GOOGLE :
Dedicated Interconnect provides direct physical connections between your on-premises
network and Google's network. Dedicated Interconnect enables you to transfer large
amounts of data between networks, which can be more cost-effective than purchasing
additional bandwidth over the public internet.
-ORACLE :
-IBM :
The IBM Cloud Direct Link solution is designed to seamlessly connect your
on-premises resources to your cloud resources. The speed and reliability of
IBM Cloud Direct Link helps enable you to extend your organization’s data
center network and provides consistent, higher-throughput connectivity —
without touching the public internet
-ALIBABA :
For lan alibaba uses VPN Gateway and express connect.
VPN Gateway is an Internet-based service that securely and reliably connects
enterprise data centers, office networks, and Internet terminals to virtual
private clouds (VPCs) of Alibaba Cloud through encrypted channels.
Express Connect allows you to establish high bandwidth, reliable, secure, and private
connections between different networks.
Dedicated physical connections link your on-premise data centers with Alibaba
Cloud, which improves the flexibility of your network topology and the performance
of cross-network connectivity.
Based on Smart Access Gateway and SD-WAN capabilities, Express Cloud Connect
offers an all-in-one network service by integrating the high reliability, high
performance, and low latency features of dedicated physical connections.
VPN :
-AWS : A transit gateway is a network transit hub that you can use to
interconnect your virtual private clouds (VPCs) and on-premises networks. As
your cloud infrastructure expands globally, inter-Region peering connects
transit gateways together using the AWS Global Infrastructure.
-AZURE :
Secure Socket Tunneling Protocol (SSTP), a proprietary TLS-based VPN protocol. A TLS
VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound,
which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions
of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).
-GOOGLE :
HA VPN
Classic VPN
-ORACLE :
DRG:
A DRG acts as a virtual router, providing a path for traffic between your
on-premises networks and VCNs, and can also be used to route traffic
between VCNs.
-IBM :
IPSec VPN Secure Gateway : A site-to-site Virtual Private Network (VPN) tunnel is
the usual approach to securing connectivity between networks.
IBM Cloud provides a number of options for site-to-site data center connectivity,
either using a VPN over the public internet or via a private dedicated network
connection.
● connect your on-premises systems to services and workloads running in
IBM Cloud,
● ensure private and low cost connectivity to IBM Cloud services,
on-premises.
-ALIBABA :
VPN Gateway is an Internet-based service that securely and reliably connects
enterprise data centers, office networks, or Internet-facing terminals to Alibaba Cloud
Virtual Private Cloud (VPC) networks through encrypted connections.
There are two different connections VPN Gateway supports: IPsec-VPN connection
and SSL-VPN connection.
-GOOGLE :
Gain centralized visibility and control
• Discover misconfigurations and vulnerabilities
• Report on and maintain compliance
• Detect threats targeting your Google Cloud assets
-ALIBABA :
Alibaba Cloud ActionTrail is a service that enables governance, compliance,
operational auditing, and risk auditing of your Alibaba Cloud account.
With ActionTrail, you can log, continuously monitor, and retain account activity
related to actions across your Alibaba infrastructure.
ActionTrail provides event history of your Alibaba account activity. This event
history simplifies security analysis, resource change tracking, and
troubleshooting.
Backup and Recovery :
-AWS : Amazon S3 Glacier and S3 Glacier Deep Archive are secure,
durable, and extremely low-cost Amazon S3 cloud storage classes for data
archiving and long-term backup. They are designed to deliver 99.999999999%
durability, and provide comprehensive security and compliance capabilities
that can help meet even the most stringent regulatory requirements.
Customers can store data for as little as $1 per terabyte per month, a
significant savings compared to on-premises solutions. To keep costs low yet
suitable for varying retrieval needs, Amazon S3 Glacier provides three options
for access to archives, from a few minutes to several hours, and S3 Glacier
Deep Archive provides two access options ranging from 12 to 48 hours.
-AZURE :
The Azure Backup service provides simple, secure, and cost-effective solutions to back up
your data and recover it from the Microsoft Azure cloud.
● Features
○ Back up Azure IaaS VMs: Azure Backup provides independent and isolated
backups to guard against accidental destruction of original data. Backups are
stored in a Recovery Services vault with built-in management of recovery
points. Configuration and scalability are simple, backups are optimized, and
you can easily restore as needed.
○ Scale easily - Azure Backup uses the underlying power and unlimited scale of
the Azure cloud to deliver high-availability with no maintenance or monitoring
overhead.
○ Get unlimited data transfer: Azure Backup doesn't limit the amount of inbound
or outbound data you transfer, or charge for the data that's transferred.
○ Outbound data refers to data transferred from a Recovery Services vault
during a restore operation.
○ If you perform an offline initial backup using the Azure Import/Export service
to import large amounts of data, there's a cost associated with inbound data.
Learn more.
○ Keep data secure: Azure Backup provides solutions for securing data in
transit and at rest.
Azure Site Recovery keep your business running with built-in disaster recovery service
● Features
○ Simple to deploy and manage
○ Minimise downtime with dependable recovery
○ Reduce infrastructure costs
-GOOGLE :
Use gsutil
Understand file restoration behavior
Avoid Etags
-ORACLE :
Retention rules provide immutable object storage options for data written to
Archive Storage for data governance, regulatory compliance, and legal hold
requirements. Retention rules can also protect your data from accidental or
malicious update, overwrite, or deletion.
-IBM :
IBM Cloud Backup is an automated agent-based backup system that is
managed through the Cloud Backup Portal browser-based management utility.
IBM Cloud Backup provides users with a method to back up data between
servers in one or more data centers on the IBM Cloud network. Administrators
can set backups to follow a daily, weekly, or custom schedule that targets full
systems, specific directories, or even individual files.
-ALIBABA :
For backup and recovery, alibaba uses Hybrid Backup Recovery which is a
solution that Provides secure, cost-effective, and scalable data protection for
data stored in the cloud and on-premises data centers.
With the deduplication and AES-256 encryption features, you can reduce a
large number of cloud storage costs while ensuring data security. Hybrid
Backup Recovery is a feasible solution that allows you to back up data stored
in Elastic Compute Service (ECS) instances, Apsara File Storage NAS, Object
Storage Service (OSS), on-premises data centers, and VMware virtual
machines.
Hybrid Backup Recovery also allows you to migrate data from VMware virtual
machines to Alibaba Cloud.
Vulnerability Assessment :
-AWS : Trusted advisor provides advice about your AWS Account in the areas
of:
● Cost Optimization
● Fault Tolerance
● Performance
● Service Limits
● Security
Amazon Inspector checks the configuration of EC2 instances. An agent runs
on EC2 instances and checks operating system patches, known
vulnerabilities, and common issues.
Therefore, the difference is:
● Trusted Advisor applies to the AWS account and AWS services
● Amazon Inspector applies to the content of multiple EC2 instances
-GOOGLE :
Detectors and compliance
Finding types
-ORACLE :
• Enhanced visibility of vulnerabilities, which assists in managing the
organization’s security risk posture
• Support compliance with regulations such as HIPAA and PCI
• Fully managed service–single point of contact working closely with the
customer
• Removes need to hire in-house or third party expertise
• Continuous reporting shows ongoing progress with vulnerability
management goals
-IBM :
Cloud Security Advisor - Vulnerability Advisor : a dashboard provides
centralized security management. The dashboard unifies vulnerability,
network, application and system findings from IBM Services, partners and
user-defined sources. By centralizing visibility, it can empower the security
admin to cohesively manage security on IBM Cloud workloads.
-ALIBABA :
For vulnerability assessment alibaba uses server guard and website threat
inspector.
So how can we ensure the security of our cloud host? Alibaba Cloud has
developed a cloud host security product specifically to address this problem.
Website Threat Inspector (WTI) utilizes data, white hat penetration testing,
and machine learning to provide an all-in-one security solution for domains
and other online assets. WTI detects web vulnerabilities, illicit content,
webpage defacement and backdoors to prevent possible financial loss caused
by damage to your brand reputation.
Patch Management :
-AWS : AWS Systems Manager is the operations hub for AWS. Systems
Manager provides a unified user interface so you can track and resolve
operational issues across your AWS applications and resources from a central
place. With Systems Manager, you can automate operational tasks for
Amazon EC2 instances or Amazon RDS instances. You can also group
resources by application, view operational data for monitoring and
troubleshooting, implement pre-approved change work flows, and audit
operational changes for your groups of resources. Systems Manager
simplifies resource and application management, shortens the time to detect
and resolve operational problems, and makes it easier to operate and manage
your infrastructure at scale.
-IBM :
IBM Cloud Orchestrator provides seamless integration of private and public
cloud environments. IBM Cloud Orchestrator is the ideal solution for IT
organizations that want to implement a hybrid cloud delivery model. It
automates the complete delivery of IT services on private cloud environments,
and it enables the exploitation of the same services on resources running on
public clouds
Change Management :
-AWS : AWS Config is a service that enables you to assess, audit, and
evaluate the configurations of your AWS resources. Config continuously
monitors and records your AWS resource configurations and allows you to
automate the evaluation of recorded configurations against desired
configurations. With Config, you can review changes in configurations and
relationships between AWS resources, dive into detailed resource
configuration histories, and determine your overall compliance against the
configurations specified in your internal guidelines. This enables you to
simplify compliance auditing, security analysis, change management, and
operational troubleshooting.
Another benefit is the ability to trigger alerts when a specified action is taken.
For example, if the hosts’ files on any given server have changed, an alert to
the security team should be triggered due to the suspicious activity. Microsoft
Azure offers the Automation Account and Log Analytics, which combined can
monitor, maintain, analyze, and inform when issues are found.