Public Cloud Security Risks: What’s Real, What’s Overstated, and What You Need to Know Most

Cloud computing technologies have matured significantly since the initial adoption frenzy. Businesses of all sizes continue to move workloads to public cloud environments or have started building their own private cloud environment that they can control. But, as with any emerging market, there’s talk and concern about the lasting implications of cloud technology, including the private and public cloud security risks that we may unknowingly be introducing to our workloads.

You may be surprised to learn that many companies are also moving workloads OUT of the public cloud, back to their data center or to a private cloud. According to an IDC survey, as many as 80 percent of organizations have migrated applications or data from a public cloud to a on-premises or private cloud environment within the past year. That’s staggering.

Many of those companies moved their workloads due to concerns about public cloud security, and those concerns are difficult to overcome. A new ESG survey revealed that as many as 40 percent of organizations that have moved an application from a public cloud back to to on-premises infrastructure plan to be much more thorough and exercise caution when evaluating cloud services in the future (source: ESG Master Survey Results, Tipping Point: Striking the Hybrid Cloud Balance).

But it’s not all doom and gloom. As cloud computing matures, organizations have developed policies around which workloads belong in a public cloud, and which ones are better off in a private or on-premises environment. Without carefully rethinking which workloads are best suited to a public cloud and which ones belonged in a more controlled environment, businesses can suffer. Here’s what to keep in mind as you decide which, where, and why to migrate your cloud workloads.

Firstly: You’re in the Driver’s Seat

Vendor evaluations are no walk in the park. Enterprises spend thousands of hours collecting, organizing, and evaluating RFPs. But when it comes to cloud security, there’s a lot more to it than your cloud provider’s security practices.

There’s a misconception that public cloud security rests entirely with the vendor: that either Amazon, Google, Microsoft, or a private provider will provide protection and data security on behalf of their customers. And data protection? Pshh. The only workloads stored in clouds are stateless, right?

In reality, cloud security also has a lot to do with your data, how it’s structured, who has permission to access it and how, and dozens of other variables. As a result of this misconception, businesses have failed to take time to correctly architect secure strategies for storing data in the cloud.

Without a doubt, the biggest disadvantage of public cloud is that… there’s a lot you just don’t know. Without a server rack down the hall that you can check and configure yourself, you’re instead relying on remote comingled public servers that were designed to serve many different organizations with many different workload types.  Organizations are forced to give up control of their physical hardware and it becomes difficult to know if data is adequately protected. Because they serve many different organizations throughout the world, public cloud becomes a target for hackers. Businesses find that better security visibility is achieved by bringing the workloads back to the house, and working on premise in the private cloud.

The EU’s General Data Protection Regulation (GDPR) adds another layer of complexity to this. In addition to guaranteeing your own company’s compliance, you must be able to verify the adherence of your vendors to the standards outlined in the legislation. That means that your public cloud vendor must be able to confirm the location of your data at any time, and enables you to erase or modify it as required by the “Right to Erasure” provision. In the case of the GDPR, you and your vendor could both be held accountable if either of you violates the regualations, so the stakes are high.

Why Move to a Public Cloud… And When to Consider a Private Cloud

You likely already know the very compelling reasons to consider public clouds. You can deliver business value without having to deal with the nitty gritty, hands-on stuff like operating and maintaining data centers. And, you don’t need to purchase, deploy, and manage computing infrastructure. When users and developers need a new server, they can set one up within minutes. This is fast provisioning and scaling, and is becoming even easier now with Virt tools and platforms, including containers.

That said, many large corporate public cloud providers have raised their rates to an astronomical level, depending on usage. Lack of control and rising expenses are pushing companies to consider private and hybrid cloud setups that (like OpenStack) to alleviate some of the burden.

Here’s a quick peek at some commonly-cited pros and cons when debating public vs. private clouds.

Public Clouds Private Clouds
✔ Pros
  • On-demand resources based on your company’s needs
  • Easy if you don’t have the internal headcount to manage a private cloud
  • Out of sight, out of mind… utilizes a remote data center and frees up floor space
  • Infinite scalability
  • Multi-tenant
  • Repurpose hardware you’ve already purchased
  • Easy if you do have the internal expertise and headcount to manage a private cloud, and becomes more cost effective over time
  • Significantly more control over both environmental deployment/configuration and hardware
  • Multi-tenant
  • Cost: use commodity hardware, and spin up or down new resources as you need them
✖ Cons
  • Can’t customize the cloud for your organization; it’s one-size-fits-all
  • Limited oversight and control over physical assets
  • Reliability: when there’s an outage, you’re one of millions of customers to be taken offline simultaneously
  • Many companies don’t backup their public clouds–depending on which workloads you’re storing there, you could be putting your company at risk
  • Difficult to find a data protection solution that backs up entire workloads (data & metadata, applications, security groups, network topology, etc.)
  • Cost
  • Do-it-yourself, depending on whether you choose open source or a commercial distribution
  • Still responsible for a physical data center

Private and hybrid cloud deployments are becoming increasingly common, largely because they allow companies to find a middle ground amongst all these pros and cons. Want total control? Deploy a private cloud. Need ad hoc resources for a portion of your workloads? Go hybrid. If you can get all your vendors to play nicely together, you’ll have your ideal setup.

The Bottom Line

Both public cloud and private cloud have a role to play in digital business transformation. More important, though, is the need to build a strategy that best fits your organization’s needs now, and in the years to come. Yes, security and data storage are critical components of this decision. But so is budget.

To find out more about Trilio’s approach, or if you have any questions, write to us or tweet us @triliodata