Public vs. Private Cloud: Why the public cloud is a real threat to security

The debate on public versus private cloud is a fierce one with advocates on both sides. Security experts, however, consistently fall in the pro-private camp. As a compliance and security expert, I have to agree.

First, let’s be clear on the definitions.

The public cloud is available to the public—in a free or pay-per-use capacity—and is accessible via the web. Some examples include Google Apps, Office 365, file sharing applications such as Box or Dropbox, and so on.

The private cloud, on the other hand, is the same service, but it sits behind your firewall and limits access to your internal departments, employees, customers, etc. in your organization. The private cloud is either run by your IT department or your data center.

Jeff Borek, worldwide program director for cloud computing at IBM, provided some insight into the arguments on both sides in an article for Wired magazine:

“The pro-public crowd has long argued that the ability to consume IT and related services on a pay-per-use model, the speed of access to resources, and the flexibility to add and drop capacity make their approach the only way to go. The pro-private camp is quick to remind clients that enabling private cloud capabilities—either on-site or in a private-hosted environment—provides the highest levels of management visibility, control, security, privacy, and physical data proximity. The peace of mind knowing exactly where your key business and client data resides at all times.”

What’s at stake with any cloud decision is your data. Even a single data breach could do irreparable harm to an organization, including, but not limited to, the following:

  • Loss of productivity
  • Loss of revenue
  • Tarnished reputation
  • Expensive corrective action or fines

Not to mention the amount of time, energy and money you’ll have to dedicate to rebuilding your brand and sales pipeline.

Public vs. private cloud: How do they measure up?

In a piece comparing and contrasting private versus public clouds, David Gewirtz wrote a post for ZDNet that lists pros and cons. Below are some of them.

Public cloud pros:

  • Your data lives behind an enterprise-class firewall.
  • Your data lives in a secure facility, often with multiple degrees of physical security.
  • Thieves intent on stealing your data may not know where it lives.
  • Your gear is not at risk from disgruntled employees.
  • You are not alone when defending against attacks.
  • You are protected from hardware failures.
  • You are protected from sudden surges in demand.

Public cloud cons:

  • Access can be granted from anywhere.
  • Your data must travel “in the wild” over the open internet to your cloud provider.
  • Your vendor might grant physical site access to other tenants.
  • You may be subject to jurisdictional issues, especially when dealing with international issues.
  • You’re dependent on the responsiveness, whims or quality of the vendor.
  • Little established case law.

Private cloud pros:

  • You control the physical servers and access to the servers.
  • Your information lives behind your firewall (you can also add firewall protection when co-locating servers somewhere else).
  • You don’t have to enable internet access to your data and can isolate your data infrastructure.
  • You design the architecture to your needs and preferences.
  • You know who is granted access.
  • Clarity of ownership.
  • No risk if cloud provider shuts down.

Private cloud cons:

  • Your employees have physical access.
  • You may be subject to the whims of nature, your ISP or local power grid.
  • Your security is your responsibility.

Hybrid cloud

What organizations don’t realize is that there’s a third option: a hybrid cloud approach, which can mix and match the best elements of private and public clouds. For example, your development and test environments can “live” in a public load (using test data, of course), so you’re paying for the environments only when you need them. Your production environment can run on your private cloud, where you can guarantee compliance and conformity with all of your various regulatory bodies and edicts.

Choosing your ideal cloud solution

When deciding if you can safely host your data in the public cloud, my biggest recommendation is to understand your data and whether it’s appropriate for the public cloud.

If your organization handles sensitive data such as credit card information, medical records, intellectual property or personally identifiable information (PII), there are certain compliance standards you have to meet that the public cloud won’t be able to adhere to.

To address security concerns related to the cloud, the federal government developed FedRAMP—the Federal Risk and Authorization Management Program—a compliance standard to execute any government agency cloud-hosting contracts. FedRAMP-authorized facilities certify that a cloud service provider meets governmental IT security standards, meeting all federal compliance requirements for data security.

This article was originally featured on Network World. To see the original post, click here.

Rich Banta

Rich Banta

Managing Member at Lifeline Data Centers
Rich is responsible for Compliance and Certifications, Data Center Operations, Information Technology, and Client Concierge Services. Rich has an extensive background in server and network management, large scale wide-area networks, storage, business continuity, and monitoring. Rich is a former CTO of a major health care system. Rich is hands-on every day in the data centers. He also holds many certifications, including: CISA – Certified Information Systems Auditor CRISC – Certified in Risk & Information Systems Management CDCE – Certified Data Center Expert CDCDP – Certified Data Center Design Professional