In a recent report, Gartner predicted that more than 85% of organizations will embrace a cloud-first principle by 2025. Similarly, cloud security ranked second on the list of CISO priorities in RH-ISAC’s 2021 CISO Benchmark Survey. For organizations just beginning to explore the cloud, selecting the cloud infrastructure that is right for your business can be overwhelming. There are pros and cons to each model. Which you choose will depend on your business’s resources, as well as the level of control you would like to have over your data.
The main characteristic of a private cloud is that it is used solely by one entity. Traditionally, that has meant that the private cloud is housed on-premises and is entirely managed by the organization using it. Today, however, this is not always the case as managed private clouds have become an option. These environments are similar to a public cloud in that the servers live off-site and are managed by a third-party vendor, but you are not sharing the cloud with other organizations, meaning it is still technically a private cloud.
The appeal of a private cloud is complete autonomy over the configuration and hardware used in your cloud. Particularly for regulated industries, organizations may feel their highly sensitive data is more secure in a private cloud, where they have full control over access and other security elements. As the sole user, there is also more room for customization. A private cloud can support legacy workloads that may not be transferable to a public cloud.
The downside of a private cloud is that you are also the sole owner of the cost. Public clouds make it much easier to cost effectively scale up usage and allows the expenses of infrastructure maintenance to be shared amongst the many cloud tenants.
Public clouds are cloud environments in which the company using the cloud does not own the IT infrastructure. Instead, a company such as Microsoft, Google, or AWS owns the servers and houses them in their facilities while leasing out the use of them to a multitude of clients. Using a public cloud is great for organizations that don’t have the space, money, or staff to maintain their own servers in-house.
However, the downside of solely using a public cloud is that you relinquish some level of control. While you as the customer are responsible for the security of any workloads stored in the cloud, the cloud service provider (CSP) is still responsible for the security of the cloud itself under the commonly accepted shared responsibility model. Therefore, companies that have reservations about storing their top security level data in a public cloud may instead opt for a hybrid so they can better control where specific data is stored.
A hybrid cloud is the solution for organizations that want the benefits of both public and private clouds. A hybrid environment allows companies to select which data is stored in which location, alleviating some of the concern over loss of control of sensitive data. It also allows companies to cost efficiently scale up their storage without needing to invest in additional servers on premises.
The disadvantage of this approach is that you must adjust your security operations to account for having two different environments. You may need to invest in a system information and event monitoring (SIEM) solution that can integrate information from across both environments. You may also want to use a data broker to streamline ingestions and standardize feeds to a single format that your security tools can ingest. The work required to secure a hybrid cloud environment may be too much for organizations with limited resources.
Finally, multicloud — like hybrid clouds — are made up of more than one cloud environment. However, multicloud architecture includes cloud services from more than one vendor. This is done for a number of reasons, such as cost savings or reducing reliance on a single vendor. It may also be done to comply with specific regulations, including the geographic location of stored data.
A multicloud setup allows you to pick and choose the best services without settling for one subpar offering simply because it is from the vendor you’re using for other parts of your tech stack. Of course, the drawback of a multicloud environment, similar to a hybrid cloud, is that you have more components that need to be made compatible with one another for a complete view of your security posture.
The cloud infrastructure you choose will depend largely on your organization’s resources and security priorities. RH-ISAC members have access to exclusive resources to help implement hybrid cloud best practices, such as this recorded webinar, Elevating Security to the Cloud, from the 2021 Cyber Intelligence Summit.