Security Think Tank: Choose public or private cloud with a clear head

Hybrid cloud environments provide the most flexibility, but how can businesses decide when public or private cloud is more appropriate?

Companies are increasingly using clouds to reach for business agility, lowering costs and putting pressure on internal IT teams to improve.

The question of whether a company should use public or private cloud service cannot be answered without some definitions first.

Fortunately, the Cloud Security Alliance has done a tremendous amount of good work by publishing a comprehensive guidance on cloud computing. In the guidance, a public cloud is defined as such where multiple customers, who are not related to each other, share the service. Consequently, a private cloud is the opposite of public, but with a twist. There are two types of private clouds defined: on-premise and off-premise.

As the names suggest, the former is in the customers datacentre, most likely operated by the IT team, while the latter are services provided to customers with infrastructure, platform or software, while ensuring that the service is not shared with other customers. There is however an important aspect associated with the “not shared" property, of which businesses need to be aware. 

In most private cloud deployments a lower level of the technology stack is often shared with other customers. For example, if I subscribe to a private email system, the network or storage it uses might be shared with other private email instances.

From my experience, the main decision points that drive selection between public and private clouds are legal concerns (mainly data privacy requirements), system architecture requirements, and cost.

Many companies choose private clouds to comply with data privacy legislation. The seventh data protection principle requires companies to protect data from unathorised and unlawful processing, as well as against accidental loss, destruction or damage. This openly worded principle can be interpreted and implemented in numerous ways. Consequently, companies may opt for a more expensive private cloud offering to reduce the risk of breaching this important principle.

I have also seen companies choosing private cloud offering – for example, Amazon’s VPC and Dedicate Instances, to allow integration of the cloud architecture into their enterprise IT systems architecture. Such a decision should be driven by capabilities of the cloud provider and level of integration required.

Finally, my recommendation is for companies to research cloud providers’ offers carefully and make risk assessments based on their business requirements. There is ultimately a trade-off in choosing one or another, and any choice needs to be justified.

Vladimir Jirasek is managing director of Jirasek Consulting Services.

Read more on Cloud security