These Are The Public Cloud Platforms With The Best Native Security, According To Forrester

No Longer Cowering From The Cloud

In the past, many security and risk professionals were anxious about their company's cloud adoption. But today, many of these same people believe the native security capabilities of large public cloud platforms offer more affordable and superior security than what the company could deliver itself if the workloads remained on-premises, according to Forrester Research.

Three key factors ensure a smooth transition to the cloud and influence selection, Forrester said: the breadth and depth of native security features; unified configuration and management; and aggressive road maps. From a breadth and depth standpoint, Forrester found that a platform's security certifications and security track record play a great role in vendor selection.

From a unification standpoint, people have found that centralized security improves not only a company's tactical, day-to-day security posture, but also helps with restructuring the company's cloud security governance processes. Finally, Forrester proposed that companies be evaluated not only on the capabilities they have today, but also the ones in development and how quickly they plan to roll them out.

Methodology

Vendors included in Forrester's public cloud platform native security assessment needed to have at least $50 million in annual revenue from their dedicated native security portfolio, at least 15 percent year-over-year growth in revenue, and at least 3,000 customer organizations for native security in production.

From there, Forrester said it looked for Infrastructure-as-a-Service cloud platform vendors that demonstrated thought leadership and strategy execution by regularly updating and improving their product portfolio. Finally, the companies selected were frequently mentioned during end-user client inquiries, vendor selection RFP, shortlists, consulting projects, case studies and competing vendors.

Forrester evaluated the native security capabilities of the top public cloud platform providers against 37 criteria, which were grouped into three high-level categories: current offering, strategy and market presence.

Leader: Google

Current Offering: 4.5 (out of 5)

Strategy: 4.18 (out of 5)

Market Presence: 3.8 (out of 5)

Google's security configuration policies are very granular in the admin console as well as in APIs. The company plans to provide ongoing security improvements to the admin console using device trust and location; implement hardware-based encryption key management; and improve visibility into the platform by launching a unified risk dashboard.

The Mountain View, Calif.-based vendor received a perfect score for several Forrester criteria, including hypervisor security; OS and container security; storage and data security; physical security plans; hypervisor security plans; guest OS workload security plans; network security plans; and machine-learning plans. Google's lowest score – 1 out of 5 – came in support staffing.

Google

Assets: Google's platform has a large number of security certifications and a broad partner ecosystem. It offers deep native support for guest operating systems and Kubernetes containers and supports autoscaling. GPUs can also be added to the instances, according to Forrester.

Challenges: Role-based access controls can be very complex, according to Forrester, and some users may find Active Directory sync hard to configure. The Google Cloud Platform does not yet offer hardware security modules, Forrester said, though this is planned for the second half of the year.

Leader: Amazon Web Services

Current Offering: 4.9 (out of 5)

Strategy: 3.64 (out of 5)

Market Presence: 4.2 (out of 5)

Amazon Web Services shows a high degree of security thinking at the design time of its Infrastructure-as-a-Service platform, according to Forrester.

The Seattle-based vendor earned perfect scores in Forrester criteria such as hypervisor security; OS and container security; storage and data security; network security; identity and access management plans; network security plans; services and partners; and pricing terms and flexibility, according to Forrester.

AWSs lowest scores – 1 out of 5 – came in the categories of physical security plans and vendor transparency, Forrester said.

Amazon Web Services

Assets: The Amazon Web Services admin console has very flexible and configurable identity and access management routes, Forrester said. Inspector, meanwhile, provides valuable security features for guest operating systems. Amazon Virtual Private Cloud is robust for network separation, Forrester said, while Macie allows for discovery and classification of data in workloads.

Challenges: AWS keeps all its security revenue and customer install base numbers under tight wrap, which Forrester said may hinder customers' ability to adequately judge the product's adoption and fit. The AWS Key Management Service is harder to use than competitors, according to Forrester, and its dashboards aren't very configurable.

Strong Performer: Microsoft

Current Offering: 3.6 (out of 5)

Strategy: 3.2 (out of 5)

Market Presence: 4.6 (out of 5)

Microsoft is planning to implement passwordless authentication and conditional access, improve developer integration using Microsoft Graph, and provide workload security baselines out of the box, according to Forrester.

The Redmond, Wash.-based vendor earned a perfect score on Forrester criteria such as OS and container security; storage and data security; network security; identity and access management plans; sales staffing; and pricing terms and flexibility, Forrester said.

Microsoft's lowest scores – 1 out of 5 – came in the areas of administrator user management; admin entitlements and certification; hypervisor security plans; vendor's RFP response; and vendor transparency, according to Forrester.

Microsoft

Assets: Seasoned Windows administrators benefit from having much of the Azure management console's security functionality available in PowerShell scripting, according to Forrester. Microsoft Azure offers versatile access reviews for privileged users, a robust encryption key vault management, intrusion detection system/intrusion prevention system investigation, and firewall configuration, Forrester said.

Challenges: Multifactor authentication and role-based administration setup in the Microsoft console is difficult, according to Forrester. Navigation in the console is hard due to confusing icons on the left-hand side, Forrester said, and the online, built-in help isn't actually helpful.

Strong Performer: Alibaba

Current Offering: 3.1 (out of 5)

Strategy: 2.92 (out of 5)

Market Presence: 2.6 (out of 5)

Alibaba is planning to offer certified cloud migration paths, improve its data security to cover the entire data life cycle, and improve the automated product security life cycle for code review, penetration testing, and response, according to Forrester.

The Hangzhou, China-based vendor received a perfect score on Forrester criteria such as network security; scale, auditing and integration; guest OS workload security plans; network security plans; vendor's RFP response; and vendor transparency.

Alibaba's lowest scores – 1 out of 5 – came in areas such as admin entitlements and certification; help and documentation; vendor's proof of concept and demonstration; services and partners; sales staffing; support staffing; and pricing terms and flexibility, according to Forrester.

Alibaba

Assets: The Alibaba Cloud provides simple and effective guest OS encryption, has its own key management system, and offers Distributed Denial of Service and firewalling with deep learning capabilities and strong dashboarding, according to Forrester. Customers find Alibaba's RFP responses easy to evaluate, Forrester said.

Challenges: The Alibaba Cloud is not yet ISO 270017/19 certified and lacks an extensive security partner ecosystem, according to Forrester. It has no native support for containerization, Forrester said, and lacks English admin user interfaces for about 30 percent of relevant functionality.

Strong Performer: IBM

Current Offering: 2.4 (out of 5)

Strategy: 3.04 (out of 5)

Market Presence: 3.4 (out of 5)

IBM has merged its SoftLayer, Bluemix and Platform-as-a-Service capabilities into IBM Cloud. Big Blue plans to imbue machine learning into its configuration management, offer bring-your-own-security to its customers, and support containers and DevOps tool integration.

The Armonk, N.Y.-based vendor received a perfect score in categories such as identity and access management plans; machine-learning plans; services and partners; development staffing; and sales staffing, according to Forrester.

IBM's lowest scores – 1 out of 5 – came in categories such as hypervisor security; storage and data security; network security; certification and attestation plans; hypervisor security plans; security logging and auditing plans; vendor's RFP response; and vendor's proof of concept and demonstration, Forrester said.

IBM

Assets: IBM Cloud has an impressive set of regulatory compliance certifications and a broad implementation partner ecosystem, Forrester said. Customers mention Security Analytics integration with IBM Cloud as a viable offering, according to Forrester.

Challenges: Pricing and market presence information is hard to come by, and role-based access control and hypervisor security are not exposed, according to Forrester. IBM's marketplaces are also behind other cloud platforms, Forrester said.

Contender: CenturyLink

Current Offering: 2.4 (out of 5)

Strategy: 2.24 (out of 5)

Market Presence: 1.4 (out of 5)

CenturyLink plans to implement a vulnerability scanning service, capture NetFlow information for forensic analysis to prevent network attacks, data exfiltration and viruses, and manage and enforce centralized authorization in the offering's management console.

The Monroe, La.-based vendor received a perfect score in categories such as hypervisor security, navigation and integrated environment, security logging and auditing plans, support staffing and vendor transparency, according to Forrester.

CenturyLink's lowest scores – 1 out of 5 – came in categories such as data centers; network security; physical security plans; identity and access management plans; hypervisor security plans; guest OS workload security plans; and network security plans.

CenturyLink

Assets: CenturyLink is a web-based management platform for managing a VMware ESX-based public cloud platform, according to Forrester. Customers report that the vendor's RFP responses are easy to evaluate. The product offers a solid Ansible integration support strategy.

Challenges: CenturyLink lags behind in storage encryption, container support, and identity and access management features in the console such as Active Directory integration and user bulk import, according to Forrester. The company is also playing catch-up around guest OS security features such as file integrity monitoring and anti-malware.

Contender: Rackspace

Current Offering: 1.82 (out of 5)

Strategy: 2 (out of 5)

Market Presence: 2.4 (out of 5)

The Windcrest, Texas-based company received perfect scores in the Canada and U.S. presence and Central and South America presence categories, according to Forrester.

Rackspace's lowest scores – 1 out of 5 – came in categories such a: data centers; certifications and attestations; OS and container security; network security; identity and access management plans; security logging and auditing plans; and machine-learning plans, Forrester said.

Rackspace

Assets: Rackspace's offering supports its own Carina container management system and has hooks for linking into Azure identity and access management, according to Forrester. The policy management APIs and scalability of the platform are noteworthy, Forrester said.

Challenges: Cloud hardware security module public cloud platform native security policy setup and management are hard, according to Forrester. Rackspace's RFP responses are difficult to evaluate, Forrester said, and the vendor does not easily share future road map plans with its customers.