ZapFlash

Why Public Clouds are More Secure than Private Clouds

Conventional wisdom would have you believe that Public Clouds are inherently insecure, and that the only way to meet your organization’s stringent security requirements in the Cloud is to implement your own Private Cloud. Conventional wisdom, you say? Unfortunately, there is precious little wisdom available of any kind when it comes to Cloud Computing, let alone the conventional type!

In fact, large software and hardware vendors are largely responsible for the whole “Public Cloud is insecure” canard, introducing fear, uncertainty, and doubt (FUD) into the marketplace. After all, building a Private Cloud means buying a lot of new gear. The last thing the big vendors want is for their customers to move to Public Clouds—unless, of course, they belong to the vendor in question. Don’t be fooled. Public Clouds are typically more secure than Private Clouds, for a number of reasons. Here’s why.

Why Public Clouds are More Secure…

  • Hardened thru continual hacking attempts – Public Cloud providers are a juicy target. Hackers know how to find them, realize there’s good stuff inside, and would be the envy of all their hacker pals if they were able to breach the Public Cloud’s defenses. As a result, h4x0r types have been hammering on Amazon Web Services, Microsoft Azure, and all the others. Thousands of them. For years now.
  • Attract the best security people available – Public Cloud providers not only attract hackers, they attract talent. If you’re a top Cloud security expert, where would you rather work: Amazon? Or some big insurance company or manufacturer or government agency? I thought so.
  • Get the latest security gear due to economies of scale – How many Cloud data centers do the big Public Cloud providers own? And how fast are they building new ones? You don’t need to know the specifics to realize the answers are boatloads and wicked fast. And they’re buying gear for them. New gear. Boatloads of it. Wicked fast.

Why Private Clouds are Less Secure…

  • Suffer from “perimeter complacency” – it’s amazing how many enterprises think that their DMZs and firewalls give them adequate security. If it’s on the internal network, it must be secure! As though they completely missed the Internet. And email. Not to mention viruses. What about twenty-somethings downloading malware to the corporate network through their phones? Now the enterprise wants a Private Cloud, so they can put the whole kit and caboodle on their internal network for security purposes. Good luck with that.
  • Unknown staff competence – sure, your organization has a lot of great security people. They all know their stuff. Try this: have a big party for them. Two hours in, take a look around the room. See that guy with the lampshade on his head? He’s responsible for Private Cloud security.
  • Insufficient penetration testing – how do you test to make sure your Private Cloud is secure—or any other part of your IT infrastructure, for that matter? Simple: have your testers run a series of security tests. Or maybe hire a third party to run them for you. If all the tests pass, you’re secure, right? Maybe for like a minute, until the hackers figure out new attacks that didn’t make it into your security tests. Whoops.
  • May have older gear in use – you spent hundreds of thousands of dollars on security hardware. In 2009. Now you’re putting the final touches on your Private Cloud. Try this: ask your CIO for hundreds of thousands of dollars more to replace that three-year-old gear. The response? Maybe next year. Try updating the patches. I’m sure you can make do with what we have. And maybe you can—but don’t expect it to compare with the brand new shiny stuff going into Public Cloud data centers every day.

Virtual Private Clouds to the Rescue?

With a Virtual Private Cloud (VPC), a Public Cloud provider gives you a dedicated, secure connection (usually via a VPN) to your Public Cloud instances. In some cases, those instances are physically separated from other customers, so that your stuff can’t end up on the same box as somebody else’s stuff.

VPCs may actually be the most secure option available today, as you have the best of both worlds. Furthermore, they may address specific regulatory or other governance issues that may prevent your organization from using a multitenant Public Cloud. If you read the first section of this ZapFlash and think that neither Public nor Private sounds secure enough, then a VPC may be the way to go.

However, VPCs aren’t for everyone. They may only be marginally more secure than Public Cloud, as Public Cloud providers have generally done a bang-up job securing their multitenant architectures. And keep in mind, a single-tenant VPC will typically be substantially more expensive than a regular Public Cloud equivalent. The bottom line: VPCs are more about peace of mind than actually increasing security.

The ZapThink Take

You’ll have to excuse me, I’m in a particularly snarky mood today. I must admit that the title of this ZapFlash is actually an overgeneralization. It’s certainly possible that your Private Cloud is more secure than some Public Clouds out there. The true message of this article is that building a truly secure Private Cloud is much harder than it sounds, and the extra work necessary has largely already been taken care of by the Public Cloud providers. And it should now be obvious that Private Clouds are by no means inherently more secure than Public ones.

But there’s a bigger lesson here. Security is all about risk mitigation, and it’s simply impossible to reduce your risk to zero. There’s no such thing as perfect security, which is another way of saying that perfect security is infinitely expensive. Risk mitigation involves weighing acceptable risks, given the nature of those risks and the cost involved in mitigating them. When you deliberate on the question of Public vs. Private Clouds, keep in mind that both approaches are inherently risky—but then again, choosing neither is also risky. Your job is to get the necessary facts in order to make the best decision you can about which risks you are willing to accept. Confuse FUD with facts at your peril.

 

Discussion

5 comments for “Why Public Clouds are More Secure than Private Clouds”

  1. [...] see this informative post on ZapThink This entry was posted in Force.com, Product Features. Bookmark the permalink. ← Allow [...]

    Posted by Why Public Clouds are More Secure than Private Clouds | Advologix | February 9, 2012, 6:54 pm
  2. Great article :)
    regarding the security issue – I’m looking for a single platform app for all of my cloud based services. the security issue is very important me.
    what should i be looking for?
    Thanks.

    Posted by guy_h | July 29, 2012, 1:46 pm
  3. The technical security that public infrastructure cloud vendors tell is very good (not true at all for most SaaS vendors). However, not a single public cloud vendor has ever been willing to indemnify me should they be breeched, and my sensitive/confidential information stolen or leaked. In other words, they tell me they are secure, but they won’t stand behind it. The reason, I infer, is simple — accepting that risk would be expensive! It’s that element of risk management, not security, to which the public cloud does not stand up to scrutiny. It’s that element of risk acceptance that makes the private cloud the only choice for now.

    Posted by Paul Fingerman | April 24, 2013, 1:32 pm
    • Public Clouds are by no means perfect, but Private Clouds have many of the same risks, and are more difficult and expensive to secure than people believe. As a result, the knee-jerk reaction that you can manage risk better in a Private Cloud may not be true.

      But clearly, if Public Cloud Providers are unwilling to take responsibility then my argument is weakened. Consider this ZapFlash to be a call to Public CSPs to take responsibility and put their commitment in their SLAs.

      Posted by Jason Bloomberg | April 24, 2013, 3:21 pm
  4. [...] includes information from two other ZapFlash entries that Jason referenced in his April ZapFlash: Why Public Clouds are More Secure than Private Clouds and Why You Really, Truly Don’t Want a Private Cloud. See the ZapFlash entries for an explanation [...]

    Posted by Using a Public Cloud instead of an In-House Private Cloud | Design Decomposition Blog | July 19, 2013, 11:52 pm

Post a comment

FREE POSTERS

NEW VERSION! ZapThink's Vision for Enterprise IT in 2020
With all new content including Dev/Ops, Hypermedia-Oriented Architecture, Big Data Visualization, and more!
Click here to download for FREE
10-pack of prints for only the cost of shipping!

SOA Implementation Roadmap
Over 100,000 downloaded!
Click here to download for FREE
10-pack of prints for only the cost of shipping!