Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Hey, You, Get off of My Cloud

Published 03/22/2011

Hey, You, Get off of My Cloud

By Allen Allison

The emerging Public Cloud versus Private Cloud debate is not just about which solution is best. It extends to the very definition of cloud. I won’t pretend that my definitions of public cloud and private cloud match everybody elses, but I would like to begin by establishing my point of reference for the differences between public and private cloud.

Public Cloud: A multi-tenant computing environment that can deliver on-demand resources in a scalable, elastic manner that is both measured and metered, and often charged, on a per-usage basis. The public cloud environment is typically, but not necessarily, accessible from anywhere – through the internet.

Private Cloud: A single tenant computing environment that may provide similar scalability and over-subscription to the Public Cloud, but solely within the single tenant’s infrastructure. This infrastructure may exist on the tenant’s premises, and may be delivered in a dedicated model through a managed services offering. The private cloud environment is typically accessible from within the tenant’s infrastructure. However, it may be necessary to enable external access via the internet or other connectivity.

It is commonly understood that a cloud environment, whether public or private, has several benefits including lower total cost of ownership (TCO). However, there are considerations that should be made when determining whether the appropriate option is a public or private cloud. Below are some key points to consider, as well as some perceptions, or misperceptions, of the benefits of each.

In a Private Cloud, the owner or tenant may have more flexibility in establishing policies and procedures for provisioning, usage, and security. If there are specific controls, that may otherwise impact other tenants in a shared environment, there may be greater control given to the organization within a dedicated environment.

In a Public Cloud, the tenant has less control over the shared resources, the security of the platform, or the compliance of the infrastructure. The tenant, however, may be able to leverage common security controls or compliance certifications that may inspire greater confidence in the use of a managed cloud offering. For example, if the public cloud infrastructure is included in the SAS70 (soon to be replaced by SSAE16) audit by a 3rd party, the tenant may be in a position to offer the controls and compliance as part of their own compliance program.

In a Private Cloud, the owner or tenant may be able to leverage the scalability and capacity management of a platform that is able to handle the over-subscription or provisioning processes of a multi-resource infrastructure. This allows for a consolidation of hardware and management resources, a potential reduction in administrative costs, and a scale that enables the use of idle resources (e.g. memory, CPU, etc.). However, these benefits may come with a significant capital expense, depending on the cost model.

In a Public Cloud, the tenants enjoy greater scalability and capacity benefits because the costs of adding resources or managing the environment is not tied to a single tenant, but spread over all tenants of the platform. Typically, in a public cloud, the tenant is only billed for the use of those resources. This allows for a lower initial expense and a growth in cost to match utilization, which, in many cases, can equate to growth in revenue for the hosted application. Likewise, when the need for resources is reduced, the total cost is also reduced. This can be especially helpful when the platform is used to support a seasonal business (e.g., online merchant).

In a Private Cloud, the tenant has more control over maintenance schedules, upgrades, and the change-management process. This allows for greater flexibility in the managed platform to comply with specific requirements, such as the FDA CFR 21 or NIST 800-53. As the stringent requirements of these regulations impair the flexibility of cloud environments, it is easier to maintain the entire dedicated cloud platform to these specific controls rather than to attempt to carve out exceptions in an otherwise multi-tenant cloud environment.

In a Public Cloud, the costs of the shared security infrastructure that may be available to customers can be spread over multiple tenants. For example, the cloud provider may enable the use of shared firewall resources for the inspection of traffic at the ingress of the cloud environment. Customer can share costs of the maintenance and management as well as the shared hardware resources used to deliver those firewall services. This is important to note when those security resources include threat management and intrusion detection services. Often, the deployment and support of dedicated security infrastructure can be expensive. Furthermore, most security infrastructure can be tailored to comply with most specific regulations or security standards, such as HIPAA, PCI DSS, and others.

It is important to understand how cloud providers deliver managed cloud services on a public cloud platform. Typically, the elastic environment is built on a robust, highly scalable platform with the ability to grow much larger than any individual private cloud environment. This implies that there are a significant number of benefits of scale built into a common platform. This allows for the following benefits to the provider, with a trickle-down effect to each tenant.

  1. The per-unit cost of each additional resource is greatly reduced because a greater number of enhancements can be performed in a public cloud platform than in a private cloud platform.
  2. When a provider delivers security services in a public cloud environment, each tenant gains the benefits of security measures enforced for other clients. An example of these benefits would be if a specific, known vulnerability is remediated for one customer, the same vulnerability remediation may be easily applied to all customers.
  3. The cloud provider’s reputation may work to the tenant’s advantage. A cloud provider may take better precautions, such as adding additional redundancy, adding capacity sooner, or establishing more stringent change-management programs, for a shared public cloud infrastructure than they may be willing to deliver in a dedicated private cloud. This may lend itself to better Service Level Agreements (SLA), greater availability, better flexibility, and rapid growth.

It is rare that a new cloud customer will require a dedicated cloud infrastructure. This is most often reserved for those in the government, servicing the government, or in highly regulated industries. For the rest, a public cloud infrastructure will likely provide the flexibility, growth, cost savings, and elasticity necessary to make the move from a dedicated physical environment to the cloud. Those who choose to move to the public cloud understand the benefits and are able to leverage their providers to deliver the service levels and manageability to make the cloud experience a positive one.

Allen Allison, Chief Security Officer at NaviSite (www.navisite.com)

During his 20+ year career in the information security industry, Allen Allison has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform; chief engineer and developer for a market-leading managed security operations center; and lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in the fields of systems programming; network infrastructure design and deployment; and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California, Irvine, Allison has lectured at colleges and universities on the subject of information security and regulatory compliance.

Share this content on your favorite social network today!