The answer is an unqualified "it depends." Find out why.
By Alan Radding
July 07, 2011
Imagine a customer being able to do within its own private data center what a public cloud provider does: create a new disk or server or start new instances of an application in seconds, and do so without much IT skill. A business manager might be able to do it simply by choosing from dozens or hundreds of available templates spanning a range of operating systems. “That, in a nutshell, is what the customer could have by building a private cloud,” says Mark Teter, CIO of Advanced Systems Group, a data management solutions company in Denver.
Sounds like something certain customers, the self-provisioning types, would jump at. The private cloud is one of two basic cloud options—public or private—customers have today. Each comes with its own advantages, disadvantages, costs, and complications, observes Don Angspatt, vice president of product management for Symantec Corp.’s Storage and Availability Management Group, with headquarters in Mountain View, Calif.
The choice of which cloud type raises questions about security, but security is not the only issue to consider when choosing between public and private clouds. Customers also need to think about costs, technical skills, and the state of their existing IT infrastructure, among other things. Even then, says Angspatt, decisions are not always clear-cut; technology vendors and VARs will have to work through the issues with each customer. There is no one-size-fits-all solution.
But the security question remains foremost: Which is safer, a public or private cloud?
Neither, suggests Greg Schulz, founder and senior analyst at The Server and StorageIO Group. “There is no such thing as a bad public or private cloud, only bad usage or deployment,” notes Schulz. “If used for the right things and deployed correctly, both public and private clouds are safe. If used in the wrong manner by ignoring basic best practices, both can be vulnerable.”
The number one concern about clouds among top management is security. The number two spot goes to control. Faced with these two concerns, it makes sense to recommend a private cloud. The private cloud positions IT resources behind the firewall and makes those resources and capabilities accessible to users as network services, usually through a browser. If safety or security is the top concern, the private cloud, given its location behind the firewall, appears to be a no-brainer.
Not necessarily, notes Schulz: “There is a common myth that just because a resource is internal to an organization and inside the firewalls it is safe.” Research continues to show that many threat risks are internal, not external. Yes, there are bad guys out there in the wider world who would love to hack your systems, steal your confidential information, and plant bots and other malware on the organization’s systems.
However, there also are people internally—disgruntled employees, clueless workers, and careless staff—who can quite easily create havoc with the systems intentionally or inadvertently if the organization lets down its guard and skips best security practices because the private cloud sits behind the firewall. At a recent webinar on cloud computing for CFOs, for example, the speaker addressed the assumption that private clouds are invariably safe by asking if any of the attendees had experienced any sort of security breach of their internal systems. Almost all had.
On the other hand, public cloud providers know they are under the gun when it comes to security, and most have been beefing up their security capabilities and professionalism. Where they more often fall short is in providing access to the customer’s auditors, allowing customized service-level agreements, and accommodating the customer’s governance policies.
To return to the original “which is safer” question, the best answer is “it depends.” But that’s not the answer the customer wants to hear. So, VARs and integrators must patiently educate customers on the facts of cloud life—that either cloud type can be safe or unsafe depending on how well it is implemented, deployed, and operated. Ultimately, cloud security depends on the customer selecting a proven, conscientious, and competent cloud VAR or integrator.
For more on cloud security, be sure to check out our related resources: