Private vs. Public Cloud: What’s More Secure?

Written by Charles Cooper 1
June 8, 2016

When it comes to cloud security, should you go public or private? Proponents of each have no trouble marshaling evidence to support their competing claims. But don’t expect this choice to be an easy one. This the equivalent of a bar stool debate that only gets louder as the night gets longer--with no firm answer either way.

When it comes to cloud security, should you go public or private?

Proponents of each have no trouble marshaling evidence to support their competing claims. But don’t expect this choice to be an easy one. This the equivalent of a bar stool debate that only gets louder as the night gets longer–with no firm answer either way.

It’s a key question that deserves careful consideration. Unfortunately, it’s more likely than not to lead in circles as there are strong cases to be made for both approaches. Here’s where managed services providers can help their clients understand the issue more broadly, steering it toward a strategic conversation that factors in the company’s budgetary resources as well as its own in-house capabilities. Some of the issues to consider include the following:

Private Clouds: Security Pros and Cons

In theory, once you hand the keys to the IT kingdom to an external party, the risk for a breach goes up. The fear is likely overstated, but it’s nonetheless real. That’s why there is always particular peace of mind knowing that dedicated servers and the data they house in a private cloud implementation will be managed and protected locally. The only wildcard is whether employees are following proper security procedures. More on this in a moment, but if the enterprise supplements its premises cloud infrastructure with adequate physical security–along with proper network and firewall precautions–IT can sleep soundly at night.

The proviso is that the client is willing and able to continue to invest money to remain current with the state of the art. Unlike public clouds, many companies with private clouds often deploy older technology and resist authorizing major hardware and software each year. That may still be sufficient, but it also opens the company up in the event of more sophisticated attacks in the future.

Companies also need to assess their technical talent pool. Can their in-house staff competently oversee data security in a private cloud installation? If not, an experienced MSP can parachute in as needed. Otherwise, be prepared to invest a lot of money either in retraining or hiring people with the proper skills to help manage the infrastructure.

Public Clouds: Pros and Cons

Providers of public infrastructure clouds aren’t ignoring the obvious; they, too, invest substantial sums to guarantee that everything on their cloud infrastructures get locked down when it comes to physical access or virtualization level security. The public cloud may be a more attractive choice for companies with limited resources since the provider will be picking up much of the tab for securing apps and data.

Experience is the great teacher, and after years getting attacked by myriad hackers, what haven’t public cloud providers had to deal with? They’ve learned how to handle attacks of increasing sophistication. Also, the companies offering public clouds tend to hire, retain and attract the top security people in the business. Not only can they pay for the best, but having the best is considered strategic to those companies’ businesses. Is all of that experience worth paying for? You bet.

Bigger Picture

Unfortunately, none of this may be enough to declare a winner. But there is one point that’s beyond contest: The success or failure of a public or private cloud implementation is inherently intertwined with management's success in educating employees to adopt security best practices. You can build out the most durable perimeter and update the network with the most sophisticated application and operating system security features that money can buy. But all it takes is one sloppy employee to ignore standard security procedures and the company’s entire cloud edifice will be left vulnerable to attack.

What’s more, no matter whether they choose a private or public cloud, it’s still going to be the customer’s responsibility to make sure the company conforms with regulatory standards, such as HIPAA and PCI.

At this point in history, employees–and companies–are likely tired of hearing this, and more likely than not to tune out the sound of yet more preaching. But it’s a message that companies must take seriously, and it's one that MSPs should put on the table as part of the key components to consider in any conversation about cloud implementation–public and private.

This content is underwritten by VMware — and is editorially independent. It is produced in accordance with conventional standards of business journalism.

Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.