The road to the cloud- The story of public versus private

posted 29 Nov 2019, 08:07 by Francesco Cipollone   [ updated 29 Nov 2019, 08:20 ]


Dr. Wendy has a accoun

By Dr. Wendy Ng - DevSecOps Security Advisor for Experian


A collaboration between Experian and CSA UK&I

Cloud Security Alliance - UK Chapter


 

The road to the cloud- The story of public versus private



We are on the cusp of being a quarter of a way through the 21st century and you need to decide. Public or private cloud? But, what do these terms actually mean? Let me help walk you through and hopefully by the end of the article you will have a better idea (or at least you will feel welcomed into the 21st cloud century). 


Gartner predicts an exponential growth of cloud services, reaching $370 billion (which is about £200 billion in the UK)      by 2020. 

Source: Gigabit magazine

Early concerns on security implications, of multi-tenanted systems, have essentially been dissipated by improved understanding of responsibility boundaries and controls to achieve company and industry-specific regulatory compliance requirements. 

Just about every organisation worth their salt from all sectors; public, private or non-profit, will have had, or is undergoing, large transformation programmes which will include public cloud strategies for corporate assets.

Just as a side note the UK government is pushing for a cloud first policy internally and has published guidance online, you can find more here: https://www.gov.uk/guidance/government-cloud-first-policy  

To give you an idea of the scale and growth, take a look at the following diagram:


Source: Statista - Licence NSC42 Ltd


Whilst no control can be perfect, our understanding is that the public cloud has matured, and organisations are increasingly willing to accept the residual risks from public cloud platforms with enforced access and security controls. This, combined with their ease of use, has contributed to an increasing rate of public cloud adoption, to serve the needs and objectives of the organisation and business. There is no shortage of success stories of partnerships with public cloud vendors and their ability to provide value for the organisation. 

This is particularly true for retailers, who experience significant changes to resource requirements, that can be perfectly served by the inherent elasticity of the public cloud. Other early adopters include new start-ups, as public cloud platforms eliminate the need for significant upfront investment for infrastructure. Even amongst the more established players from traditional industries, public cloud is becoming entrenched, often through a hybrid model. 

Despite the clear speed of adoption in the retail space there is still a bit of skepticism on the level of security that a well-placed cloud security programme can quickly disperse. Nonetheless, a clear understanding of the division of responsibilities is required.


One of the early drivers of public cloud is the platform’s capability to deliver operational efficiencies; you will only pay for the services you use, thus there will be no idle servers, storage, networking equipment or technical staff, unable to contribute towards productivity despite capital investments.      Of course, these operational efficiencies only emerge if the business is willing to transform its ways of working, so that they can operate in this cloud-native manner. Whilst not a scientific study, a review of the recent results from technology giants suggests at least a correlation between those with significant cloud services and overachievers. 


A screenshot of a cell phone  Description automatically generated

Securing Cloud Services, Lee Newcombe


Public cloud comes in a variety of ‘flavours’ dependent on system management responsibilities of the assets, all of which have the acronym ‘as-a-Service’; and are typically more expensive than basic products.


 So, it should come as no surprise that for certain workloads, public cloud platforms are likely to be more expensive than on-premise private clouds, where the organisation is responsible for managing the entire infrastructure and systems. Nevertheless, the central concept of public cloud is their ability to take advantage of scale and pooling of resources. This allows service providers to make investments in technologies; the bigger user group means that they      can also provide a focal point for ideas and feedback on developments in the user community. This would provide them with greater visibility on industry trends and make strategic contributions to advances in the industry. 

One clear example is the pipeline of tools for DevOps, a collaborative practice which aids software development processes by breaking down silos between teams, which is supported by toolsets, to cater for and respond to changing consumer expectations.

We could speak about the integration of tools in the pipeline in this article, but we will be off on a tangent. Nonetheless, we will come back on the subject as this is a hot topic right now. 

Public clouds are enablers, designed to be responsive to changes to an organisation’s workload requirements; it is no accident that industries which experience significant fluctuations in workloads, such as retailers, are some of the most enthusiastic adopters of public clouds. They  can also be easy to adopt – too easy in fact, for holders of corporate credit cards; a subscription to a cloud-based service, to test its capability, can all too quickly become a critical IT service to a section of the business, without a proper procurement and vendor fiscal and security due-diligence process. Thus, the ease of adoption of public cloud could increase the frown lines on a CFO – as well as those on the CIO and CISO! Nonetheless, cloud adoption require careful planning and in order to leverage the power of the cloud and the full suite of tools it offers some re-thinking is required on the application migrated, often cloud migration are interpreted as lift and shift. 

Another concern, especially for the larger organisations, which has the advantage of being able to scale, is over-reliance on third-party vendors. Strategically, it is advisable to maintain internal capabilities, which may include developing toolsets, especially for organisations with a large operational footprint. For smaller organisations, decisions will be based on balancing investments on growth and safeguarding against possible operational disruptions on supportive functionalities. 

Whilst some workloads will be more suited to the inherent elastic nature of a public cloud, which may also offer a more diverse geographic presence than an on-premises private cloud, the relatively high operational costs of public clouds need to be taken into consideration. At some point, especially for large workloads with predictable (and probably consistent) resource requirements, the cost of initial capital hardware investments will be more efficient for the organisation when the lower operational costs of private clouds are taken into account. Thus, especially for large organisations, a hybrid public-private cloud strategy could provide the best balance to hedge against technical, operational and financial risks.

Ċ
Francesco Cipollone,
29 Nov 2019, 08:10
Comments