Cloud computing is no longer hype; it is the reality today for most organizations because of the numerous benefits that it brings. Cloud computing is not without its risks, however.
There are three main deployment models for cloud computing—private cloud, public cloud, and a hybrid mix of the two.
Private, Public, and Hybrid Cloud - How Are They Different?
The US National Institute of Standards and Technology (NIST) provides the following definitions for each of these deployment models:
- Private cloud—the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers, such as business units. It may be owned, managed and operated by the organization, a third party, or a combination of the two. It may exist on or off the organization's premises.
- Public cloud—the cloud infrastructure is provisioned for use by the general public. It may be owned, managed and operated by a business, academic or government organization, or some combination of them. It exists on the premises of the cloud provider.
- Hybrid cloud—the cloud infrastructure is a composition of distinct cloud infrastructures, public and private, that remain unique entities, but that are bound together by standardized or proprietary technology that enables data and application portability, such as cloud bursting for load balancing between clouds.
Public clouds aim to serve as large a customer base as possible at an attractive price and to offer standard services to all customers. They are therefore highly structured and automated. They operate on standard models, including security and the conditions of the service-level agreements (SLAs) offered, with organizations only able to set the terms of the SLA in very few cases, and generally only if they are sufficiently large to have the clout to do so.
Organizations should therefore carefully scrutinize the security controls that are offered by public cloud providers to ensure that they are sufficient for their needs. Where there are any doubts or where data is considered to be too critical to the organization to place in the hands of a third party, many organizations will opt to keep that data in-house. In some cases, this will result in an organization using a hybrid mix of public and private cloud deployment models, or opting to keep on using traditional on-premise applications—especially smaller organizations that cannot afford to set up their own private clouds.
Risks and Disadvantages of Different Deployment Models
One of the most often cited concerns with the use of public cloud services is that some feel security is weaker, with objections raised including co-mingling of data with that of other organizations in a multi-tenant environment, and fears over the security of data both when transferred over the internet and when it is being processed or stored in the cloud. However, such concerns need not be a risk to the organization if the service provider has the necessary controls in place, such as privileged user management controls and strong encryption, with the keys held by the customer in their own possession. Organizations should look for service providers that offer a strong data assurance framework. They should also look for assurances that the service provider upholds strong security standards through regular audits and through adherence with frameworks such as ISO 27001. It is no longer considered sufficient that a service provider has a general-purpose certification such as SAS 70.
Reliability and availability are also perceived to be issues—and there have been some well-publicized cases of outages among the major cloud service providers that have affected all of their customers simultaneously. Organizations should not only rely on guarantees provided by service providers over uptime, but should demand to see performance records that attest to those levels being met. Most SLAs provide not only guarantees of uptime, but also provide recompense should those guarantees not be met. However, in many cases, it is up to the customer to proactively demand that they be recompensed. Organizations should also ensure that backup and disaster recovery capabilities that are provided do not lead to their data being stored in a jurisdiction that would leave them out of compliance with the local data protection regulations that they face.
One other major risk is that the organization will lose control over its own data, which could lead to its losing data. Organizations should therefore ensure that adequate controls are in place regarding ownership of the data and what should happen to that data once the contract has expired or should the service provider go out of business.