Public Versus Private Clouds

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Public Versus Private Clouds

by James G. Barr

Docid: 00021182

Publication Date: 1805

Report Type: TUTORIAL

Preview

Cloud computing refers to the on-demand delivery of software, infrastructure,
platforms, and other IT resources over the Internet or private network. Cloud computing is conducted via public,
private, and hybrid clouds. Public clouds are shared, community spaces with
services delivered from a hosted environment off site. Private clouds, on the
other hand, are exclusive spaces, usually dedicated in-house and delivered
on-premise, utilizing an enterprise’s own hardware and firewall. The term hybrid
cloud describes a cloud solution combining both public and private clouds.

Related Reports

Executive Summary

[return to top of this report]

Related Faulkner Reports

Cloud Computing Concepts Tutorial

Cloud Computing Trends Tutorial

Public clouds are shared, community spaces with services delivered from a
hosted environment off site.

Private clouds, on the other hand, are exclusive, customizable spaces, usually dedicated
in-house and delivered on-premise, utilizing an enterprise’s own hardware and
firewall.

The term hybrid cloud describes a cloud solution combining both public and
private clouds.

In general, public clouds are preferred in environments where:

Rapid scalability (or the ability to expand or contract capacity on-demand) is
required.
Recruiting and retaining skilled IT personnel is problematic (public
clouds are maintained by public cloud providers).¹

In contrast, private clouds are preferred in environments where:

Budgetary control is paramount (public cloud expenses rise in relation
to use and may be unpredictable).
Data security is a major concern (outsourcing data to a public cloud
provider does not relieve an enterprise of its data security obligations).²

Personal Cloud

While the choice of public or private clouds is normally made at the
enterprise management level, some enterprise users are exerting their influence
by establishing de facto "personal" clouds, usually by invoking consumer cloud
services like Dropbox to store and process their enterprise data. Such users are
thus bypassing the enterprise IT department, which they often view as
unresponsive, and unilaterally creating their own do-it-yourself cloud
infrastructure – an action which could compromise overall enterprise security.

Description

[return to top of this report]

Cloud computing refers to the on-demand delivery of software, infrastructure,
platforms, and other IT resources over
the Internet or private network. It is similar to utility computing, although it
is not necessarily metered. It is also similar to grid computing, which
is basically a “virtual computer” that uses independent, but networked,
resources for large tasks.

Software as a Service (SaaS) is often considered synonymous with cloud computing, but
infrastructure (IaaS) and platforms (PaaS) as services also fall under the
cloud umbrella. The term "cloud" itself derives from the graphic
cloud used in network diagrams to represent the Internet.

Public Cloud

Public clouds are shared, community spaces. Services are delivered via the
Web by third-party providers, and users only pay for the resources they use.
Since public clouds are not on-premise solutions, user data resides off site.

Private Cloud

Private clouds are exclusive, customizable spaces, usually dedicated in-house and delivered
on-premise, although not always. The bottom line is that private clouds are not
shared with other users and are operated for and/or by one organization.
Enterprises that opt for private clouds typically have their own hardware, and
their data resides behind their own firewall.

Hybrid Cloud

Another type of cloud is the hybrid of public and private. This computing
solution is typically both on- and off-premise, with more sensitive
data residing behind the enterprise firewall in the private cloud, and, for
example, e-mail or less sensitive applications and data residing in the public
cloud.

Current View

[return to top of this report]

There are a number of factors to consider when choosing a cloud
solution.

Renting Vs. Buying

If an enterprise would rather rent than buy, then public clouds are a good
option. Availability and scalability are big lures due to the ability to deploy
and ramp up applications quickly.

However, because public clouds are multi-tenanted, concerns about security may
adversely influence adoption. As a result, many users
favor private clouds and in-house security if they cannot negotiate
acceptable service level
agreements (SLAs).

Return on Investment

In addition to functional and operational considerations, enterprises are
understandably interested in Return On Investment (ROI).

Will the short-term savings
on hardware be greater than the long-term cost of renting?
Will resource usage – and costs – add up more quickly than anticipated?

Currently, many enterprises still cannot justify pure private cloud solutions
in terms of costs. Yet security concerns
loom large for public clouds, resulting in a catch-22 situation.
Perhaps a hosted private cloud – not public, yet not quite private –
may be the answer if private data can be securely managed and hosted
off-premise.

Total Cost of Cloud Ownership

Closely related to ROI, the total cost of cloud ownership (TCCO) should be
calculated before choosing between public and private cloud options. Analyst
David Newman has identified "six key steps to understanding the true costs of
the cloud platform you’re considering:

"Identify Your Usage Cycle – If you only use your cloud
sporadically, a public option that is pay-as-you-use could be best. If you
use it daily for secure business processes, you could benefit from a private
cloud.
"Determine Hosting Models – Your current TCO [should diminish] when using the cloud. You must accurately calculate
these reductions to see what your TCO will look like once the cloud is
implemented.
"Identify Variable Costs – Costs associated with a public cloud are variable due to its pay-as-you-use
policy. In comparison, data costs remain fixed with a private cloud. However,
[some costs like] bandwidth may vary depending on your use.
"Calculate Cost of Internal Management – Even with a public
cloud, your internal management will not be reduced to zero. You will still
need to have an IT department to oversee the proper use of the cloud option
you choose.
"Manage Transition Costs – Your transition costs include anything
associated with the complete transition from your old model to the new cloud
model. This could include training, troubleshooting and consulting.
"Determine IT Life Cycle Costs – To effectively determine your
true TCO, you need to consider your IT life cycle and the costs associated with
it. With the new cloud option, your IT department and life cycle will
change."³

Legacy App Migration

Often the decision between public and private clouds comes down to
accommodating legacy
applications. If a enterprise has invested heavily in legacy applications,
migrating to custom-designed private clouds may be indicated. Migrating legacy
applications to, or re-engineering them for, public clouds may be
cost-prohibitive.

Business Continuity

The use of public clouds can help enterprises maintain critical
business operations in the event of natural disasters or other disruptions that
disable enterprise data centers.

Outlook

[return to top of this report]

The size of an enterprise is very important in the debate between public
versus private versus hybrid clouds. For example:

Will public clouds enable smaller enterprises to save money upfront and ramp up quickly to be
competitive in the marketplace?
Will private clouds be more attractive
to enterprises that have more in-house expertise, bigger IT budgets,
and more hardware in place?
Will hybrids be the answer to address
challenges of cost savings and security issues at the same time?

When
deciding on the right cloud solution, a enterprise needs to ask
itself several questions in order to develop a feasible strategy.

How
much existing infrastructure is in place? If not much, perhaps public
clouds are a viable solution for infrastructure needs. If a lot,
perhaps some can be repurposed to host private clouds or help in deploying a hybrid solution.
How
much data is regulated? If not much, perhaps public clouds (despite
potential security problems) can be used. If a lot, perhaps the data
needs to remain behind a private cloud’s firewall. Or a hybrid solution may be the most viable choice.
How
many legacy applications are in place? If few, then perhaps new
application development can be targeted for use with public clouds. If
many, then will a private cloud be able to leverage more of them
without costly re-engineering? Does a migration strategy need to be
developed to future-proof the business and take into account a hybrid model?
Are
employees or divisions already using public or personal clouds for services and
applications? If not, then a proactive policy should be developed to
forestall potential security breaches. If so, then a reactive policy
needs to be developed – fast – or perhaps usage needs to be cut off until
a policy is in place to ensure compliance.
Can
certain applications be moved to public clouds more readily than
others? For example, e-mail and social applications may be easily and
safely moved to public clouds, while financial applications and data
may need to be firewalled with a private cloud. In other words, is a hybrid solution the best choice?
Are
SLAs necessary to ensure a enterprise’s performance? Are five nines (99.999%)
required? If public clouds cannot guarantee this performance for
on-demand services, then they are not an option.
Which
security concerns are valid? Will providers allow users visibility to
their security measures or can cloud security vendors sufficiently alleviate worries?
Does the enterprise suffer from a
talent shortage in IT? If so, cloud solutions of any and all types may
become more of a necessity.

Bottom line:
security concerns remain and, until fears can be alleviated, enterprises may still try to avoid cloud solutions no matter the immediate
cost savings or availability of applications. Although many public cloud providers
use encryption and self-defending mechanisms, these providers often do not
give users much visibility into their security or assume liability for
sensitive data. Thus, users feel their fears, whether
real or perceived, may be justified.

Recommendations

[return to top of this report]

According to CoreSite, private clouds are best suited for applications that use:

Employee data
Financial data
Data required to satisfy compliance requirements (healthcare, finance,
government)

Public clouds are a good fit for:

SaaS applications, using a pay-as-you-go model
CRM applications
Development platform services⁴

Since the public cloud option is more viable than the private or hybrid models
for many enterprises, especially
small-to-medium-sized enterprises (SMEs), finding a way to live with public
cloud infrastructure – including public cloud security (or insecurity) – is
paramount. According to the US
National Institute of Standards and Technology (NIST), when considering the
public option, a prospective enterprise client should concentrate on the
following criteria:

Enterprise Governance: Extend
enterprise practices pertaining to the policies, procedures, and standards used
for application development and service provisioning to the public cloud, as
well as the design, implementation, testing, use, and monitoring of deployed or
engaged services. Enterprise governance standards cannot be relaxed.

Regulatory Compliance: Understand
the various laws and regulations that impose security and privacy obligations on
the enterprise and potentially impact cloud computing initiatives, particularly
those involving data location, privacy and security controls, records
management, and electronic discovery requirements. Review and assess the
cloud provider’s offerings with respect to the enterprise requirements to be
met, and ensure that the contract terms adequately satisfy the requirements. Compliance cannot be comprised.

Process Transparency: Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time.

Data Ownership: Establish clear,
exclusive ownership rights over data. This is crucial in the event a client elects to terminate the cloud contract (usually as a result of
cloud provider non-performance).

Security Practices: Understand the
underlying technologies that the cloud provider uses to provision services.

Identity/Access Management: Ensure
that adequate safeguards are in place to secure authentication, authorization,
and other identity and access management functions, and are suitable for the
enterprise.

Virtualization Infrastructure: Understand virtualization and other logical isolation techniques that the cloud
provider employs in its multi-tenant software architecture, and assess the risks
involved for the enterprise.

Data Protection: Evaluate the
suitability of the cloud provider’s data management solutions for the enterprise data concerned, and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data.

Data Colocation: Take into
consideration the risk of colocating enterprise data with that of other
enterprises whose threat profiles are high or whose data collectively represent significant concentrated value.

Incident Management: Understand the
contract provisions and procedures for incident response and ensure that they
meet the requirements of the enterprise. Ensure that the enterprise can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment.

Business Continuity: Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner.⁵

References

[return to top of this report]

¹ Peter Harrison. "Public Cloud vs. Private Cloud: 8 Factors (Beyond
Cost) to
Consider." Future US, Inc. November 3, 2014.

² Ibid.

³ Daniel Newman. "Public vs. Private Cloud: How to Evaluate Total Cost of
Ownership." IBM. January 24, 2018.

⁴ "Public Cloud Vs. Private Cloud: What’s Best?" CoreSite. October 3, 2016.

⁵ Wayne Jansen and Timothy Grance. SP 800-144: "Guidelines on
Security and Privacy in Public Cloud Computing." US National Institute of
Standards and Technology. December 2011:35-36.

Web Links

[return to top of this report]

International Organization for Standardization: http://www.iso.org/
Markets and Markets: http://www.marketsandmarkets.com/
US National Institute of Standards and Technology: http://www.nist.gov/

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to Succeed in
Business BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices. Mr.
Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this report]