Comment: Public vs Private – Things that Really Matter In the Cloud

Kurt-Elli believes the balance of performance, compliance and support is not well aligned for business applications in the public cloud
Kurt-Elli believes the balance of performance, compliance and support is not well aligned for business applications in the public cloud

It’s an interesting move by Red Hat to enter the platform-as-a-service market with an open-source alternative particularly as they will initially be using Amazon’s EC2 cloud infrastructure to host customers’ applications.
The recent Amazon EC2 outage in April was the worst in history and shows that while large scale, self-managed and commoditized infrastructure-as-a-service has price benefits, if things go wrong, they do so in a big way.

On-demand, pay-as-you-go capacity has become the norm, but the operational side of the public cloud is a key issue for businesses. It provides a management challenge because the public cloud is primarily a service bought without any commitment or contract. So who has responsibility for security and resilience?

Amazon has been less than honest about the nature of its cloud resilience or how their nodes work in practice, but no competitor has publicly shamed them, highlighting the fact that everyone knows that large-scale outages are possible, and more are likely. This is not a question of competence – in technology, things can go wrong. The question is how to manage risk when the parameters for risk in the public cloud are less than clear.

There is some pretty scary commentary about the potential security risks associated with the public cloud. There are many business leaders driving their IT departments to push critical business applications and data into the public cloud to benefit from the cost savings, but the security concerns are real.

Most public clouds rely on software-based network virtualization, which means you are relying on complicated operating systems to act as the switch, with the added performance and security overhead that comes with running a network on a software platform. In private cloud hosting, virtualization is still applied but using traditional, secure network security models, with the option of deploying the same virtual systems but in a dedicated hardware or data center environment.

The private cloud can provide organizations with the benefits of managed virtualization and a rental consumption model for compute and storage in a controlled infrastructure – something that is particularly key to compliance markets.

With private cloud hosting, you receive best-of-breed switching in the data center to ensure high performance, secure virtual LANs and options of layer 2 or layer 3 virtual private networks (VPNs) to allow secure, safe connectivity.

This approach provides businesses with a secure hybrid between virtualized, dedicated and co-located infrastructure. The use of hardware-based managed firewalls also means that there is no issue with quoting throughput expectations for the network.

It is also difficult to find any public cloud operators that would support audits and provide the relevant audit documentation to ensure technology and operational compliance. This means that public cloud operators will not be able to support the compliance needs of some business users.

Cloud computing relies on two key but fallible platforms: technology and humans. I suggest businesses take the pragmatic view that things will go wrong with technology, so the question is what service level can you expect to support you business in the event of a problem, and what commercial service level agreement (SLA) underpins that promise?

It is necessary to apply the same due diligence to a cloud operator that you would to any other IT supplier. In most large-scale cloud offerings, the SLAs and commercial rebates are not worth the invoice they are digitally printed on. In the case of Amazon Web Services, the credits are applied to the next invoice you receive, which means you have to commit to ongoing services to benefit from your downtime.

Cloud storage looks cost effective, but no promises are possible regarding transactions per second or latency between application servers. This means that they perform a valuable service for third-tier storage, such as batch processing or other non-latency dependent applications, but when end users with a service level expectation are involved, it is limited. Therefore, the balance of performance, compliance and support is not well aligned for business applications in the public cloud.

The private cloud model relies on a robust commercial suite of management applications integrated into the same monitoring platform and automation of software patching and updates that supports the hygiene factors customers come to expect from their IT suppliers. This allows for an outsourced approach to system administration and for organizations with in-house IT to free up resources.

The private cloud model is of no value to someone wanting to quickly deploy a bit of streaming video content for a two-week advertising campaign, but if a business is looking to virtualize business-critical IT, outsource IT hygiene factors and benefit from the security and efficiency of data center hosting, then it is worth engaging in a conversation with a private cloud provider.

Lumison COO and founder, Dr Aydin Kurt-Elli, was brought up throughout Europe before training and graduating MBChB from Edinburgh University in 1998, with an intercalated BSc in biochemistry. Having been involved in computers from an early age, Kurt-Elli set up edNET in 1995 during medical school, and has grown the company since its inception. Kurt-Elli has also sat on the board of other businesses in executive and non-exec roles, as well as a few charity and non-profit organizations.

What’s hot on Infosecurity Magazine?