The perennial debate on private cloud vs. public cloud continues to flare up anywhere cloud computing is being discussed. One of the most often repeated myths favoring private cloud deployments is that they are "more secure" than public clouds. It's complete nonsense. Some private clouds are more secure than some public clouds. Some public clouds are more secure than some private clouds. In some cases, no one really knows.
Risk Analysis vs. Security
I always say that the key to securely deploying a public cloud infrastructure is transparency. That statement should not be confused with the fallacy that transparency is security. Transparency is a necessary element to assessing the risks associated with any infrastructure. It can also help you establish compensating controls to address less than ideal facts about the target infrastructure. The need for transparency is exactly why CloudAudit is so critical to making informed public cloud deployments and taking the steps necessary for securing those deployments.
Transparency, however, does not magically render any environment secure. What makes an infrastructure secure are the "facts on the ground" about that infrastructure. Technologies, architectures, processes, and controls define how secure an infrastructure is. You can thus have a perfectly secure infrastructure into which you have zero visibility (but you'll never actually know it is secure) and you can have an infrastructure which you know for a fact to be perfectly insecure (think of a honeypot).
Security and Clouds
For the purposes of this article, I'll make the faulty assumption that a private cloud represents perfect transparency (in reality, private clouds still have at least some level of opacity). Based on this premise, a public cloud is always going to have a higher degree of opacity than a private cloud exactly because of the perfect transparency of the private cloud. Anything I can know about public cloud X, I can also know about my private cloud. The reverse, however, is almost never true.
The ill-informed often jump to the general conclusion that private clouds are therefore more secure than public clouds. You just can't get from the fact that you know more about a private cloud to the conclusion that it is therefore more secure. You certainly can't make the further jump and apply the conclusion to the entire class of public and private clouds.
Total knowledge about a private cloud guarantees neither that it is secure nor that we are even competent to judge that knowledge with respect to security.
The Delusion of Competence
I want to zero in on the idea of competence first. We all think we are better drivers than everyone else on the road. It's a horrible fact that makes roads more dangerous than they need to be. The same thing applies to large company IT infrastructure. Everyone thinks they are more competent to build out a secure infrastructure than the next. In some cases, this belief is true. In many cases, it's not.
In the case of private versus public cloud, an internal team at an organization with a core competency in some non-technical market is generally responsible for the private cloud.
The overall competency of an organization in running an efficient and secure private cloud infrastructure is directly proportional to the degree of alignment of IT infrastructure management with the company's core competency. This general reality results simply from the fact that you'll invest more in IT infrastructure and value it more if it matters more to your business. As a general rule, most businesses out there will be less competent at assessing and maintaining a secure private cloud infrastructure than the people running private clouds.
I'm not trying to make the argument that just because you work in IT for some low-tech company that you don't know IT infrastructure or security. Many brilliant technologists work for agencies you would never associate with IT infrastructure. I am arguing, however, that IT shops in general for low-tech companies are going to be less competent as a group in IT security than their public cloud IT counterparts. Worse, each one of them likely thinks they are the exception and not the rule.
The delusion of competence really makes it hard to see your own security failings. When you combine that delusion with the transparency mismatch between public and private clouds, you have a very powerful recipe for crafting FUD and perpetuating the myth of private cloud security.
The Role of Transparency
As I have noted at several points, transparency helps you analyze the relative risks associated with two different infrastructures. Because of the transparency mismatch between public and private cloud, we know that the private cloud is always going to be a less risky option—all else being equal. And don't make the mistake of confusing "less risky" with "more secure".
Obviously, the more we know about a public cloud, the better positioned we are to assess its appropriateness for a given problem. Let's take the simple issue of data destruction. I know within my organization that we always securely wipe any storage media before reusing or retiring it, and that we always secure destroy retired media. I don't know what cloud provider X does.
Which scenario is more secure? You don't know. The private cloud is obviously going to represent a lower level of risk because I know what processes we have in place AND I know that those processes are sufficient for my business requirements. It could be that the cloud provider is doing the exact same thing and is thus equally secure. It could be that they are shredding the drives, melting them, and then launching the melted media into the sun on space ships. That would make the cloud provider technically more secure. I just don't know. And because my business requirements demand that data stored on media is securely destroyed, I either have to institute compensating controls to mitigate the risk or conclude that the public cloud provider in question is too risky for my business needs.
But I can't conclude that the public cloud provider is less secure.
What Makes a Cloud Secure?
The policies, procedures, technologies, architecture, and controls in place define the "security" of a given cloud. Security, however, is ultimately a relative term. You can't say a given infrastructure is "secure". You can simply say it is secure with respect to a specific set of requirements and level of acceptable risk. Risk analysis and thus transparency is thus a critical component in assessing the security of a system, but it's not in itself security.
Let's examine the scenario discussed above. If the following items are true about the cloud provider in question, we can reasonably assess that higher risk associated with the lack of transparency with the public cloud provider can be mitigated:
- If we can securely encrypt the file systems in the cloud
- If we can keep the encryption keys away from the cloud provider
These two controls offset the lack of transparency from the cloud provider and enable us to meet our business objectives with only a moderately higher level of risk. If the benefits of public cloud over private cloud outweigh that moderate risk, then we should deploy in the public cloud. Otherwise, the private cloud represents the best risk scenario. If we determine the public cloud risk in this scenario is not acceptable even with the compensating controls, however, that does not mean we have concluded that our private cloud is more secure than the public cloud provider.
The Role of Private Clouds
I try to avoid the whole debate of whether private clouds are really clouds. Regardless of how "cloudy" a private cloud is, it is an important piece of the cloud computing puzzle. The blanket term of "security" however is not a reason in itself to opt for a private cloud infrastructure over a public one. Having a private cloud does not make your infrastructure inherently more or less secure than a public cloud option.
A mature organization will likely have both public and private components to their infrastructure. In 2020, I expect all companies will have public cloud components; many will not have private cloud components.
Private clouds play two critical roles in 2010:
- They help an organization with an existing investment in virtualization leverage that investment to provide the business with many of the benefits of cloud computing.
- Private clouds help minimize risk for situations in which public cloud options raise unacceptable risks and the private cloud provides proper controls.