Cloud Security: Private vs Public vs Hybrid

Look at the Application not the Cloud

As you read this, you could be on a plane to a new continent, or a serene lake recharging your mental batteries; you could be on a smartphone, a tablet, a laptop, or even a watch. The fact is, applications and data can now be consumed anywhere. The challenge for an enterprise becomes how to secure access and visibility without compromising user experience. There’s no magic wand to magically create a holistic security posture, or have the best security engineers. Your applications and data are as unique as your business, and not a single cloud infrastructure understands them. You must use the tools your cloud provides to ensure a strong security posture.

Is Private Cloud More Secure Than Public Cloud?

The short answer: No. They are both very secure and, at the same time, very vulnerable. We can also look at a hybrid approach, which uses a combination of, or new tools in private and public clouds. Overall, your security depends on the workload running. Rephrasing this question provides further insight: What does my application or data set need/require for secure access? Each of these cloud-types provides a unique set of tools, challenges, and expertise required for secure operations.

As a business, the decision to run new workloads/move workloads into a certain cloud-type comes down to a possible set of simple questions to ask yourself to create a security posture specific to that cloud:

• Are there regulations in our industry that require a cloud posture or focus?
• Is there an executive requirement/goal to be in a certain cloud-type?
• Are there geographic constraints or requirements?Are there budgetary requirements for workload placement?
• Are we running workloads for other entities we’re legally responsible for?
• How is our application/data estate currently deployed today?
• Is there a cloud preference for applications? What about data access/availability?
• What is the cloud-educational level of my operational IT organization?

Understanding your enterprise’s current cloud mindset will help drive the security conversation of how to secure those workloads.

Let Your Workloads Define Your Security

Choose your cloud, understand the security controls

Cloud choice requires a singular focus on the workload being run to help understand where it should live. Let’s break down each of the cloud types (private, public, and hybrid cloud) into advantages and disadvantages for running secure workloads.

Public cloud security

As companies migrate to the public cloud, their security mindsets, talent pool, and risk strategies must change:

Advantages:

• Great scalability and flexibility
• Numerous security services to choose from use/consume
• No low-level management

Disadvantages:

• Security is a shared responsibility
• Requires new expertise to secure workloads
• Potential for increased threat visibility
  

Private cloud security

The most familiar concept for many companies, private cloud ensures control but sacrifices cost and potential access to new workloads users demand:

Advantages:

• Security and Compliance on your terms
• Data lives in your own perimeter (datacenter)
• Apps and Data are under your control

Disadvantages:

• Higher costs on hardware and infrastructure
• Greater need for security management
• No access to secure SaaS apps

Hybrid cloud security

The holy grail of IT includes the ability to control workloads and cost anywhere, but requires new security tools to run in both public and private clouds:

Advantages:

• Cost-effective decisions on secure workload placement
• Reduce Attack vectors based on risk analysis (choose a cloud based on risk)

Disadvantages:

• Requires new software to understand compliance between clouds infrastructure
• Large threat surface
• Requires new talent to operate

Additional Cloud Security Considerations

Below is a sample of other suggestions to consider when choosing a cloud-type for your apps and data:

• Control and Visibility - Do you have the tools/talent/time to understand your entire cloud estate?
• Data Management - Are you adhering to industry-specific/geographic regulations for your data? How are you understanding insider data threats?
• Cyber Threat Risk - Is there an application or data particularly more appealing to threat actors? Are you classifying your workloads based on a risk assessment?
• Configuration Management - Are you able to push/patch/pull across your workloads in as little time as possible? Are legacy workloads identified and considered for changes as new threats emerge?
• Policy Enforcement - How are you ensuring compliance of business policies as it relates to security? Are you aligning security recommendations with end-user experience? How are you gathering user feedback?
• Business Continuity - Do you have a regularly tested recovery program and procedure in place? Have you further qualified key, business-critical workloads that must not be unavailable? How are you ensuring their viability?

That is a small subset of things to consider. Overwhelming? Start somewhere, today. Focusing on well-known, highly critical apps and data can provide the best bang for your planning and provide peace of mind to executives.

Take Back Control Beyond Clouds

As we’ve read, choosing which cloud is an intensive process of research and expectations, especially as you begin to align security requirements. Public cloud security and security risks are issues as present as in a private cloud. Private clouds can be more secure than public clouds, but can increase cost while leaving flexibility aside. Hybrid cloud, whilst attractive, requires additional investment in further solutions.

Bottom line, the control and security of your applications and data is up to you. There is no silver bullet for workload placement. To summarize a good plan on where to begin:

1. Evaluate your business inline with your industry to create a baseline of security considerations
2. Understand the advantages of the various cloud-types (private, hybrid, and public) to ensure an efficiency of budget and security controls.
3. Map out and qualify your critical applications to create a true business continuity plan.

At Nutanix, we specialize in helping you understand your workloads and securing and optimizing their performance. Our cloud story allows us to help you run these workloads on any cloud, aligning to your business goals. The security tools and mindset we offer ensure a true-defense-in-depth strategy working with your current tools to offer a more complete security posture.

Find out more about cloud security.

_{© 2022 Nutanix, Inc.  All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.}