Jun 13 2014
Cloud

Differences in Public-Cloud Versus Private-Cloud Security

Here are 11 security considerations that IT administrators should weigh as they approach that decision.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

When planning a cloud deployment, choosing a public-cloud or private-cloud model is one of the most important decisions to be made, especially from a security perspective. IT administrators should weigh 11 considerations as they approach making that decision.

  1. How significant are cost savings among the motivations for moving to the cloud? Generally speaking, greater cost savings can be achieved by moving to a public cloud; lesser savings are achieved in a private cloud. IT decision-makers should carefully evaluate the relative costs of public and private architectures and use cost as a factor in the process, being careful to factor in security-related costs and the potential cost of data breaches.

  2. Who needs access to data and applications? If only internal staff members need access to the data and applications, it may make more sense to go with a private cloud. If the general public is going to be accessing the data and applications, a public cloud often makes more sense (in part because it’s likely that the data isn’t as sensitive).

  3. How much of a security concern are other applications? Many organizations avoid public clouds and some even avoid private clouds, because of the increased risks of having multiple applications on the same physical server. For applications with particularly sensitive data or services, the traditional architecture of full isolation — (having the resources for one application on a dedicated server) may still provide the best security model.

  4. Is the organization willing to trust a third party with its data? This ultimately depends on how sensitive the data is, what the threats are against it, and how much risk the organization is willing to accept. Many IT shops keep the most sensitive data out of public clouds because of the increased risk of compromise, and some organizations are prohibited from using public clouds because of compliance concerns.

  5. How much visibility do you need into data and application security? For some types of data, such as data that is available to the general public, organizations may want to log usage of the data for analytical purposes. But it’s not critical to know who is accessing which pieces of data. For particularly sensitive data, extensive visibility is needed because of regulations that require detailed logging of all access. The more visibility an organization needs into security, the more likely it is to favor a private cloud over a public cloud.

  6. What types of network-based and host-based security controls are required for monitoring application activity? Some enterprises rely heavily on certain security controls, such as intrusion detection systems. Such security controls might be available in a public cloud, but are much more likely to be available in a private cloud. If an organization requires certain security controls to meet its own policies or external regulations, it should investigate whether they are available from a public-cloud provider.

  7. What specific security tools does the organization want to use for cloud security monitoring and maintenance? Many prefer to standardize the use of specific security tools, such as firewalls or intrusion detection systems. But when considering the use of such tools for a cloud deployment, an organization should weigh whether the tools are cloud-friendly or have cloud-friendly versions (for example, are they designed to work with a hypervisor or within a guest operating system?). In addition to hardware, this consideration should be applied to tools such as anti-virus and patch management software.

  8. Does the IT staff have the security expertise necessary to secure data and applications in a private cloud? IT shops with limited resources may not have the expertise necessary to ensure that data and applications migrated to a private cloud environment will be secured and will remain secure. Instead, they may prefer to use a public cloud and rely more heavily on the security expertise of the cloud provider’s staff.

  9. How much scalability and flexibility does the organization need in its cloud hosting? If processing and bandwidth use are stable, then both public and private clouds may be valid options. If the organization expects to have major swings in processing and bandwidth needs, a public cloud might be necessary to address them in a cost-effective manner.

  10. Would a multiple-cloud solution fit best? Enterprises frequently use multiple clouds. They may deploy public clouds for certain data and applications, and use one or more private clouds for sensitive or internally facing data and applications. These clouds can be mixed together as a hybrid cloud, appearing as a single virtual cloud, or they can remain separate. Keeping them separate is advisable in many cases, especially where different levels of risk or risk mitigation measures are in place.

  11. What about physical security? When an organization’s IT infrastructure is hosted offsite, it’s important to understand how the service provider controls physical access to its data center. Enterprises should know how vendors get assurances from employees that they will protect their customers’ information.

Want to learn more? Check out CDW’s white paper, “Peace of Mind Security in Public and Private Clouds.”

Robert Churchill/ThinkStock

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now