The Road to the Cloud - The Story of Public vs Private

Jun 25, 2020

Author: Dr. Wendy Ng

We are on the cusp of being a quarter of a way through the 21st century and you need to decide - public or private cloud? But what do these terms actually mean? Let me help walk you through and hopefully by the end of the article you will have a better idea (or at least you will feel welcomed into the cloud-centric century). Gartner predicts an exponential growth of cloud services, reaching $370 billion (which is about £200 billion in the UK) this year.

Early concerns on security implications of multi-tenanted systems have essentially been dissipated by improved understanding of responsibility boundaries and controls to achieve company and industry-specific regulatory compliance requirements.

Just about every organisation worth their salt from all sectors: public, private or non-profit, will have had, or is undergoing, large transformation programs which will include public cloud strategies for corporate assets.

Just as a side note, the UK government is pushing for a cloud first policy internally and has published guidance online, you can find more here:

Whilst no control can be perfect, our understanding is that the public cloud has matured, and organisations are increasingly willing to accept the residual risks from public cloud platforms with enforced access and security controls. This, combined with their ease of use, has contributed to an increasing rate of public cloud adoption, to serve the needs and objectives of the organisation and business. There is no shortage of success stories of partnerships with public cloud vendors and their ability to provide value for the organisation.

This is particularly true for retailers, who experience significant changes to resource requirements, that can be perfectly served by the inherent elasticity of the public cloud. Other early adopters include new start-ups as public cloud platforms eliminate the need for significant upfront investment for infrastructure. Even amongst the more established players from traditional industries, public cloud is becoming entrenched, often through a hybrid model.

Despite the clear speed of adoption in the retail space there is still a bit of scepticism on the level of security that a well-placed cloud security program can quickly disperse. Nonetheless, a clear understanding of the division of responsibilities is required.

One of the early drivers of public cloud is the platform’s capability to deliver operational efficiencies; you will only pay for the services you use, thus there will be no idle servers, storage, networking equipment or technical staff, unable to contribute towards productivity despite capital investments. Of course, these operational efficiencies only emerge if the business is willing to transform its ways of working, so that they can operate in this cloud-native manner. Whilst not a scientific study, a review of the recent results from technology giants suggests at least a correlation between those with significant cloud services and overachievers.

Public cloud comes in a variety of ‘flavours’ dependent on system management responsibilities of the assets, all of which have the acronym ‘as-a-Service;’ and are typically more expensive than basic products.

So, it should come as no surprise that for certain workloads, public cloud platforms are likely to be more expensive than on-premise private clouds, where the organisation is responsible for managing the entire infrastructure and systems. Nevertheless, the central concept of public cloud is their ability to take advantage of scale and pooling of resources. This allows service providers to make investments in technologies; the bigger user group means that they can also provide a focal point for ideas and feedback on developments in the user community. This would provide them with greater visibility on industry trends and make strategic contributions to advances in the industry.

One clear example is the pipeline of tools for DevOps, a collaborative practice which aids software development processes by breaking down silos between teams, which is supported by toolsets, to cater for and respond to changing consumer expectations.

Public clouds are enablers, designed to be responsive to changes to an organisation’s workload requirements; it is no accident that industries which experience significant fluctuations in workloads, such as retailers, are some of the most enthusiastic adopters of public clouds. They can also be easy to adopt – too easy in fact, for holders of corporate credit cards, a subscription to a cloud-based service, to test its capability can all too quickly become a critical IT service to a section of the business, without a proper procurement and vendor fiscal and security due-diligence process. Thus, the ease of adoption of public cloud could increase the frown lines on a CFO – as well as those on the CIO and CISO! Nonetheless, cloud adoptions require careful planning and in order to leverage the power of the cloud and the full suite of tools it offers some re-thinking is required on the application migrated, often cloud migration are interpreted as lift and shift.

Another concern, especially for the larger organisations, which has the advantage of being able to scale, is over-reliance on third-party vendors. Strategically, it is advisable to maintain internal capabilities, which may include developing toolsets, especially for organisations with a large operational footprint. For smaller organisations, decisions will be based on balancing investments on growth and safeguarding against possible operational disruptions on supportive functionalities.

Whilst some workloads will be more suited to the inherent elastic nature of a public cloud, which may also offer a more diverse geographic presence than an on-premises private cloud, the relatively high operational costs of public clouds need to be taken into consideration. At some point, especially for large workloads with predictable (and probably consistent) resource requirements, the cost of initial capital hardware investments will be more efficient for the organisation when the lower operational costs of private clouds are taken into account. Thus, especially for large organisations, a hybrid public-private cloud strategy could provide the best balance to hedge against technical, operational, and financial risks.

This article was first published 14 May 2020 on Cloud Security Alliance Blog

Dr. Wendy Ng is a DevSecOps Security Managing Advisor, who’s honed her technical consulting skills through a number of industries: aerospace, healthcare, fintech, telco, transport logistics, and critical national infrastructure. Wendy completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs since 2016.