Private cloud versus public cloud security

Very often people say cloud when they actually mean public cloud. For this reason, in the book, we'll always specify private cloud or public cloud and when we do not specify anything, the word cloud is used in both senses at the same time.

This is a necessary disclaimer because when speaking of security, private and public clouds have completely different issues, but let's start from the beginning.

The private cloud

A private cloud environment is operated solely for a single organization (or person) by internal or third-party personnel. In a private cloud situation, all machines are owned (or leased) by the organization and will run that organization's software exclusively.

From an economical perspective, private clouds are less flexible; in fact, the number of machines will stay pretty stable over time compared to public clouds.

From a scalability perspective, private clouds are not very flexible because you can't use more processing power than that you have installed it with. Very often, private clouds are kept with an average of 80-90 percent load and this means you can burst only 10-25 percent of your average load.

From a security perspective, private clouds grant you full access (and full responsibilities) to create a safe environment. This means that no one can look at your data if you create a safe environment, and you will have to spend money to create a safe environment. Usually, these clouds are created behind a company's firewall, so this helps secure them. This security advantage is negated if the cloud contains the Web-readable/writable content because you'll have to open your firewall ports in this case. This is often mitigated by creating two different clouds, one for web-accessible data (in a DMZ) and one that is accessible only by internal users (in the internal network).

The public cloud

"There is no [public] cloud, only other people's computers."—Free Software Foundation Europe

A public cloud has very different problems and opportunities as compared to a private cloud.

From an economical perspective, with a public cloud, you pay exactly what you use as you go, so no upfront costs.

From a scalability perspective, public clouds can be considered as limitless because they usually have so many resources available that you can start up all the machines you need without worrying about cloud capabilities.

From a security perspective, the public cloud is more complex to analyze. Since cloud providers usually provide to millions of machines at any given moment, they can invest way more than the average company for security. Thus, their cloud is very secure. The drawback is that you have to trust the Cloud Service Provider (CSP) completely with your data. If the CSP would like to see your data and everything you run on their machines, they can. If they are interested in selling your data to your competitor, there are very limited things you can do. Also, we have to remember that public clouds can be attacked from inside, since an attacker can lease a virtual machine directly into the cloud for a few dollars and without any questions asked.

Note

Since all users of a public cloud are not in the company network of the cloud service provider, public clouds have to be accessible from the Web, increasing the attack surface of public clouds.

Private cloud versus public cloud

The following is an easy-to-remember schema that will help you immediately understand the advantages and disadvantages of public and private clouds:

As we can see, public clouds and private clouds are very different and there isn't a choice that is always right and one that is always wrong. It depends on the specific software you have to deploy. If you integrate a private cloud with a public cloud, you'll have an hybrid cloud. Usually, the public part of a hybrid cloud has the same characteristics as that of a public cloud, as the private part has the same characteristics of a private cloud.