Is a private cloud really more secure?
Working in the cloud enlightens you to a lot of features of possibility when it comes to SaaS (software as a service), IaaS (Infrastructure as a Service) and even NaaS (Networking as a Service). However, the largest amount of questions I get asked are not about the possibilities of the cloud, but about how secure cloud computing and cloud-based solutions truly are.
The answer to this question is a toss-up yes-no response. Think about it…it’s like asking if baseball is safer to play than football, or if running has better health benefits than swimming. The question is what is in error, not the answer or the manor we try to answer it.
So, let’s ask a better question…
Is the private cloud more or less secure than the public cloud, based on my particular needs?
And my answer?
There are secure, compliant (PCI and HIPAA) and well run cloud services; both private clouds and public cloud solutions. The private cloud and public cloud solution debate and separation has a lot more to do with agreements, resources, commitments and long-term strategy that your particular business or enterprise is trying to achieve, rather than the simple, and probably more human-like interpretations of flaws and approaches that cause the divide itself.
What I’m trying to say, is that each business need will dictate what that particular solution in. In a cloudy mist of problems, the cloud should afford you solid security standards, as well as an ability to see which solutions and services in the cloud will be right for your organization.
The core of a private cloud project
Beginning any private cloud project, even one that uses incredible amounts of planning, well thought-out and laid-out organization rules, and clear borders and goals, requires a level of participation that has never been seen before in computing and data management. What you are talking about is taking your organizations business rules and security procedures that were once ‘hands-on’ and digitizing them in a scaling environment.
Many changes will need to happen in order to begin any project of this nature. Including the following…
- Internal business relationships and communications
- External business relationships including customers, business partners and more
- Budgeting requirements
- Business life-cycle evolution (adapt, improvise, evolve, excel)
- Creation of new business and security rules for your new business environment
When done right, the minds that create the well thought-out, well-run and secure plan of action, will have created an incredibly secure and useful cloud based infrastructure that will allow your organization to excel.
With every great power, comes possible failure
As mentioned, those great processes will get broken done tens, if not hundreds, if not thousands of times into other steps to create your private cloud. This leads to many possible security issues, with each and every step. The biggest areas you will likely on really do not change from a public cloud project at all.
- Software / Running Processes
- Networking / Access
It also should be mentioned that with a public cloud, you have no control over direct access to data and physical hardware. Instead, the same security measures that could be handled in-house with physical security are not longer available to you.
Another major concern that should be mentioned is that your level of networking security on a public cloud stops with the instance’s currently software. This means you have little to no control, or even guidance, over firewall protocols and stop/start usage of the datacenters and server your cloud resources are housed within.
Cloud Computing with Compliance Standards
One of the major problems most IT staffs had to explain and also do some problem solving with when it comes to projects involves compliance needs. These can be as simple as some access standards for public visitors of information, all the way up to HIPAA standards and PCI compliance. With the private cloud, you will notice there are many of the same issues which arise while creating a cloud based solution, whether it is on a private cloud or the public counterpart.
HIPAA Compliance on Private Cloud
HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996, to standardize all electronic health records. This act includes guidelines for storage, processing and even transmission and recpetion of health records in the United States.
Amazon has been at the forefront of compliance standards for cloud based solutions for years. In your private cloud projects, this is still the case. As early as 2008, Amazon published a white-paper detailing specific strategies and best practices for programmers to take for their applications where they had to attain HIPAA compliance (read here).
PCI Compliance for Private Cloud
PCI compliance (PCI DSS) is a compliance standard for the credit card industry. All servers of ATM, bank cards and credit cards must adhere to it. As well, all processors of transactions with these systems must follow similar, sometimes identical rules.
Your bottom line on the Private Cloud
The single largest advantages of using a private cloud solution are your ability to retain control over your data, as well as any software, networking or security processes in your own space. You will also gain the security of knowing that you and your project team are in complete control of the security and maintenance of your organizations private cloud.
In the end, only go public if you do not need to meet the requirements of using the private cloud.