Public Versus Private Clouds

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Public Versus Private Clouds

by James G. Barr

Docid: 00021182

Publication Date: 1805

Report Type: TUTORIAL


Cloud computing refers to the on-demand delivery of software, infrastructure,
platforms, and other IT resources over the Internet or private network. Cloud computing is conducted via public,
private, and hybrid clouds. Public clouds are shared, community spaces with
services delivered from a hosted environment off site. Private clouds, on the
other hand, are exclusive spaces, usually dedicated in-house and delivered
on-premise, utilizing an enterprise’s own hardware and firewall. The term hybrid
cloud describes a cloud solution combining both public and private clouds.

Report Contents:

Executive Summary

[return to top of this report]

Cloud computing refers to the on-demand delivery of software, infrastructure,
platforms, and other IT resources over
the Internet or private network. Cloud computing is conducted via public,
private, and hybrid clouds.

Related Faulkner Reports
Cloud Computing Concepts Tutorial
Cloud Computing Trends Tutorial

Public clouds are shared, community spaces with services delivered from a
hosted environment off site.

Private clouds, on the other hand, are exclusive, customizable spaces, usually dedicated
in-house and delivered on-premise, utilizing an enterprise’s own hardware and

The term hybrid cloud describes a cloud solution combining both public and
private clouds.

In general, public clouds are preferred in environments where:

  • Rapid scalability (or the ability to expand or contract capacity on-demand) is
  • Recruiting and retaining skilled IT personnel is problematic (public
    clouds are maintained by public cloud providers).1

In contrast, private clouds are preferred in environments where:

  • Budgetary control is paramount (public cloud expenses rise in relation
    to use and may be unpredictable).
  • Data security is a major concern (outsourcing data to a public cloud
    provider does not relieve an enterprise of its data security obligations).2

Personal Cloud

While the choice of public or private clouds is normally made at the
enterprise management level, some enterprise users are exerting their influence
by establishing de facto "personal" clouds, usually by invoking consumer cloud
services like Dropbox to store and process their enterprise data. Such users are
thus bypassing the enterprise IT department, which they often view as
unresponsive, and unilaterally creating their own do-it-yourself cloud
infrastructure – an action which could compromise overall enterprise security.


[return to top of this report]

Cloud computing refers to the on-demand delivery of software, infrastructure,
platforms, and other IT resources over
the Internet or private network. It is similar to utility computing, although it
is not necessarily metered. It is also similar to grid computing, which
is basically a “virtual computer” that uses independent, but networked,
resources for large tasks.

Software as a Service (SaaS) is often considered synonymous with cloud computing, but
infrastructure (IaaS) and platforms (PaaS) as services also fall under the
cloud umbrella. The term "cloud" itself derives from the graphic
cloud used in network diagrams to represent the Internet.

Public Cloud

Public clouds are shared, community spaces. Services are delivered via the
Web by third-party providers, and users only pay for the resources they use.
Since public clouds are not on-premise solutions, user data resides off site. 

Private Cloud

Private clouds are exclusive, customizable spaces, usually dedicated in-house and delivered
on-premise, although not always. The bottom line is that private clouds are not
shared with other users and are operated for and/or by one organization.
Enterprises that opt for private clouds typically have their own hardware, and
their data resides behind their own firewall.

Hybrid Cloud

Another type of cloud is the hybrid of public and private. This computing
solution is typically both on- and off-premise, with more sensitive
data residing behind the enterprise firewall in the private cloud, and, for
example, e-mail or less sensitive applications and data residing in the public

Current View

[return to top of this report]

There are a number of factors to consider when choosing a cloud

Renting Vs. Buying

If an enterprise would rather rent than buy, then public clouds are a good
option. Availability and scalability are big lures due to the ability to deploy
and ramp up applications quickly.

However, because public clouds are multi-tenanted, concerns about security may
adversely influence adoption. As a result, many users
favor private clouds and in-house security if they cannot negotiate
acceptable service level
agreements (SLAs).

Return on Investment

In addition to functional and operational considerations, enterprises are
understandably interested in Return On Investment (ROI).

  • Will the short-term savings
    on hardware be greater than the long-term cost of renting?
  • Will resource usage – and costs – add up more quickly than anticipated?

Currently, many enterprises still cannot justify pure private cloud solutions
in terms of costs. Yet security concerns
loom large for public clouds, resulting in a catch-22 situation.
Perhaps a hosted private cloud – not public, yet not quite private –
may be the answer if private data can be securely managed and hosted

Total Cost of Cloud Ownership

Closely related to ROI, the total cost of cloud ownership (TCCO) should be
calculated before choosing between public and private cloud options. Analyst
David Newman has identified "six key steps to understanding the true costs of
the cloud platform you’re considering:

  1. "Identify Your Usage Cycle – If you only use your cloud
    sporadically, a public option that is pay-as-you-use could be best. If you
    use it daily for secure business processes, you could benefit from a private
  2. "Determine Hosting Models – Your current TCO [should diminish] when using the cloud. You must accurately calculate
    these reductions to see what your TCO will look like once the cloud is
  3. "Identify Variable Costs – Costs associated with a public cloud are variable due to its pay-as-you-use
    policy. In comparison, data costs remain fixed with a private cloud. However,
    [some costs like] bandwidth may vary depending on your use.
  4. "Calculate Cost of Internal Management – Even with a public
    cloud, your internal management will not be reduced to zero. You will still
    need to have an IT department to oversee the proper use of the cloud option
    you choose.
  5. "Manage Transition Costs – Your transition costs include anything
    associated with the complete transition from your old model to the new cloud
    model. This could include training, troubleshooting and consulting.
  6. "Determine IT Life Cycle Costs – To effectively determine your
    true TCO, you need to consider your IT life cycle and the costs associated with
    it. With the new cloud option, your IT department and life cycle will

Legacy App Migration

Often the decision between public and private clouds comes down to
accommodating legacy
applications. If a enterprise has invested heavily in legacy applications,
migrating to custom-designed private clouds may be indicated. Migrating legacy
applications to, or re-engineering them for, public clouds may be

Business Continuity

The use of public clouds can help enterprises maintain critical
business operations in the event of natural disasters or other disruptions that
disable enterprise data centers.


[return to top of this report]

The size of an enterprise is very important in the debate between public
versus private versus hybrid clouds. For example:

  • Will public clouds enable smaller enterprises to save money upfront and ramp up quickly to be
    competitive in the marketplace?
  • Will private clouds be more attractive
    to enterprises that have more in-house expertise, bigger IT budgets,
    and more hardware in place?
  • Will hybrids be the answer to address
    challenges of cost savings and security issues at the same time?

deciding on the right cloud solution, a enterprise needs to ask
itself several questions in order to develop a feasible strategy.

  • How
    much existing infrastructure is in place? If not much, perhaps public
    clouds are a viable solution for infrastructure needs. If a lot,
    perhaps some can be repurposed to host private clouds or help in deploying a hybrid solution.
  • How
    much data is regulated? If not much, perhaps public clouds (despite
    potential security problems) can be used. If a lot, perhaps the data
    needs to remain behind a private cloud’s firewall. Or a hybrid solution may be the most viable choice.
  • How
    many legacy applications are in place? If few, then perhaps new
    application development can be targeted for use with public clouds. If
    many, then will a private cloud be able to leverage more of them
    without costly re-engineering? Does a migration strategy need to be
    developed to future-proof the business and take into account a hybrid model?
  • Are
    employees or divisions already using public or personal clouds for services and
    applications? If not, then a proactive policy should be developed to
    forestall potential security breaches. If so, then a reactive policy
    needs to be developed – fast – or perhaps usage needs to be cut off until
    a policy is in place to ensure compliance.
  • Can
    certain applications be moved to public clouds more readily than
    others? For example, e-mail and social applications may be easily and
    safely moved to public clouds, while financial applications and data
    may need to be firewalled with a private cloud. In other words, is a hybrid solution the best choice?
  • Are
    SLAs necessary to ensure a enterprise’s performance? Are five nines (99.999%)
    required? If public clouds cannot guarantee this performance for
    on-demand services, then they are not an option.
  • Which
    security concerns are valid? Will providers allow users visibility to
    their security measures or can cloud security vendors sufficiently alleviate worries?
  • Does the enterprise suffer from a
    talent shortage in IT? If so, cloud solutions of any and all types may
    become more of a necessity.

Bottom line:
security concerns remain and, until fears can be alleviated, enterprises may still try to avoid cloud solutions no matter the immediate
cost savings or availability of applications. Although many public cloud providers
use encryption and self-defending mechanisms, these providers often do not
give users much visibility into their security or assume liability for
sensitive data. Thus, users feel their fears, whether
real or perceived, may be justified.


[return to top of this report]

According to CoreSite, private clouds are best suited for applications that use:

  • Employee data
  • Financial data
  • Data required to satisfy compliance requirements (healthcare, finance,

Public clouds are a good fit for:

  • SaaS applications, using a pay-as-you-go model
  • CRM applications
  • Development platform services4

Since the public cloud option is more viable than the private or hybrid models
for many enterprises, especially
small-to-medium-sized enterprises (SMEs), finding a way to live with public
cloud infrastructure – including public cloud security (or insecurity) – is
paramount. According to the US
National Institute of Standards and Technology (NIST), when considering the
public option, a prospective enterprise client should concentrate on the
following criteria: 

Enterprise Governance: Extend
enterprise practices pertaining to the policies, procedures, and standards used
for application development and service provisioning to the public cloud, as
well as the design, implementation, testing, use, and monitoring of deployed or
engaged services. Enterprise governance standards cannot be relaxed.

Regulatory Compliance: Understand
the various laws and regulations that impose security and privacy obligations on
the enterprise and potentially impact cloud computing initiatives, particularly
those involving data location, privacy and security controls, records
management, and electronic discovery requirements. Review and assess the
cloud provider’s offerings with respect to the enterprise requirements to be
met, and ensure that the contract terms adequately satisfy the requirements. Compliance cannot be comprised.

Process Transparency: Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.

Data Ownership: Establish clear,
exclusive ownership rights over data. This is crucial in the event a client elects to terminate the cloud contract (usually as a result of
cloud provider non-performance).

Security Practices: Understand the
underlying technologies that the cloud provider uses to provision services.

Identity/Access Management: Ensure
that adequate safeguards are in place to secure authentication, authorization,
and other identity and access management functions, and are suitable for the

Virtualization Infrastructure: Understand virtualization and other logical isolation techniques that the cloud
provider employs in its multi-tenant software architecture, and assess the risks
involved for the enterprise.

Data Protection: Evaluate the
suitability of the cloud provider’s data management solutions for the enterprise data concerned, and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.

Data Colocation: Take into
consideration the risk of colocating enterprise data with that of other
enterprises whose threat profiles are high or whose data collectively represent significant concentrated value.

Incident Management: Understand the
contract provisions and procedures for incident response and ensure that they
meet the requirements of the enterprise. Ensure that the enterprise can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.

Business Continuity: Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.5


[return to top of this report]

1 Peter Harrison. "Public Cloud vs. Private Cloud: 8 Factors (Beyond
Cost) to
Consider." Future US, Inc. November 3, 2014.

2 Ibid.

3 Daniel Newman. "Public vs. Private Cloud: How to Evaluate Total Cost of
Ownership." IBM. January 24, 2018.

4 "Public Cloud Vs. Private Cloud: What’s Best?" CoreSite. October 3, 2016.

5 Wayne Jansen and Timothy Grance. SP 800-144: "Guidelines on
Security and Privacy in Public Cloud Computing." US National Institute of
Standards and Technology. December 2011:35-36.

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to Succeed in
Business BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices. Mr.
Barr can be reached via e-mail at

[return to top of this report]