I get asked with some frequency whether a private cloud is inherently more secure than a public cloud. How I answer that question depends on how I feel on any given day.
OK, not really. Yet the question, as I often point out, proceeds from a false premise. People assume that there are straightforward differences between private and public clouds that can be enumerated and used to make business decisions about which type of cloud best suits your enterprise.
False may be the wrong word for that premise — let's call it incomplete. The complete premise — and my complete answer to the question — goes something like this:
There are well-run, secure, and highly effective private clouds, just as there are well-run, secure, and highly effective public ones. The private/public cloud divide has a lot more to do with the resources, commitment, and long-term strategy your enterprise is pursuing (or is likely to pursue) than it does with the virtues and flaws of one approach to virtualization over another.
Sounds a bit simplistic, and undoubtedly it is. But in a field as complex as shifting to cloud-based resources and services, sometimes a bit of simplicity can help clear the air around the clouds.
Undertaking a private cloud project, even one with well-defined borders, goals and purpose, requires a level and degree of engagement that you — or your predecessors — may not have encountered since the shift from mainframes and terminals to PCs and desktops. Virtualizing the business environment will tax every aspect of your relationship with other business and operating divisions, and challenge your budget. It will also force you to reevaluate decisions regarding existing hardware and software (not to mention various clients throughout the enterprise) and look for corners to cut when budgets are strained.
It will definitely force you to call upon your powers of improvisation, adaptation, and evolution as the project itself evolves.
Done right — that "well-run, secure and highly effective" ideal — your private cloud will be a boon to your enterprise. But every one of those steps mentioned above, and all the dozens if not hundreds (or thousands!) of other virtualization steps not mentioned here, raises security issues and questions that must be addressed. Miss one, and — well, you've got a private cloud with a possible public vulnerability.
The same challenges are faced by public clouds, of course — and sometimes faced badly, as cloud breach-related headlines show from time to time. Yet the cloud itself, and its security, is essential to the cloud provider’s business. That's where public cloud companies enjoy a bit of an advantage: They don't have to "sell" their executives on the virtues and expense of a properly configured cloud. They want to do it — which may differ from the reaction you get from your management when costs escalate.
Bottom-line (and that always enters into it), I'd say that the largest security advantages of the private cloud are your retention of control over your data and your processes within your own perimeter. You also get the confidence — and headaches — that come from knowing that you and your team are in charge of the private cloud's security.
Private cloud is the way to go only if you get and retain all of the resources and support that creating it will require. Otherwise, go public.
| 
|
