Before there was “the cloud,” there was utility computing and grid computing. At one point, Sun Microsystems told us, “The network is the computer.”
But few SMBs—much less enterprise IT users—wanted to trust third-party suppliers with vital corporate data. They’re still reluctant, in fact. So, in order to give themselves the benefits of cloud computing while maintaining the privacy and security of a behind-the-firewall computing environment, a growing number of corporate IT people are setting up private clouds.
This is the official NIST definition of a private cloud:
“The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”
This is the opposite of, say, Amazon’s cloud services, which are 100 percent public and open to anyone who can afford them.
Aside from technical and security concerns, there are psychological reasons to maintain critical data either in local servers or a cloud-computing environment under your company’s sole control. Almost every article about residential burglary notes that smart burglars always start by ransacking the master bedroom because people keep their valuables close to them; the same people who go to work and want to secure their companies’ data as close to them as possible.
Don’t laugh. There is a strong niche market for “PC safes” that physically secure under-the-desk PC towers. These safes may not do anything to prevent remote intrusions, but a non-technical management person will probably feel more comfortable with his desktop computer locked inside one of these enclosures.
Many managers also love seeing pictures of their companies’ servers in locked-down cages at hosting services or data warehousing facilities (see the one above from RagingWire, which offers custom cages for datacenters).
When it comes to satisfying non-technical managers and maintaining real security, private clouds are better than community or public clouds (and even though many cloud-based SaaS providers, such as Salesforce.com, have excellent security track records).
Joel Bilheimer, vice president of Systems Integration Services for Pershing Technologies LLC, deals extensively with DoD secure computing environments. “In many parts of the public sector, particularly secure verticals such as defense and intelligence, the private cloud is the only way to provide hosted applications across enterprises,” he said.
Security is perhaps the biggest reason for maintaining private clouds in sectors such as defense. That being said, even the most secretive government agencies have an obligation to publish certain data, a service that may rely on the commercial cloud in some fashion. Agencies also have use for unclassified email services and Web applications.
“That said, whether you’re talking about data-at-rest (DAR) or data-in-transit (DIT), public or shared cloud services simply do not have the security requirements necessary to store or transport highly sensitive material,” Bilheimer said. “Consider that the biggest cloud players—AWS, Google Apps for Government, MS Office 365/BPOS—have all thrown millions of dollars at FISMA compliance, and none of them have been officially certified by FedRAMP yet (nor would we expect any of them to be certified before FY2013).”
Nor have those cloud players have claimed FISMA High compliance, the minimum necessary for hosting sensitive material.
“It goes without saying that there are certain types of data that will never be hosted publicly,” Bilheimer added. However, defense IT pros acknowledge that sharing information across agencies is important to the national mission. “They are definitely cognizant of the expertise that the commercial sector brings in this arena and are looking to capitalize through private hosting contracts and public-private partnerships – assuming, of course, that application security is up to the task.”
Even in the IT environment for small- to midsize businesses, some of the same concerns faced by the DoD must also be considered. For one thing, internal IT client entities (such purchasing, accounting, HR, and customer service) each come with unique requirements, and often a separate IT budget. Can an IT administrator best serve those internal clients via a generic public-cloud environment—or by using applications suited for each one’s needs, running on a private cloud over which the organization has complete control?
In most corporate use cases, the latter is likely to be true; and the larger the company, the more true it is likely to be.
The biggest disadvantage of a private cloud is an inability to draw extra computing power, as necessary, from a third-party cloud supplier. That is, unless one makes arrangements for backup capacity from Amazon or another cloud-services provider.
For many companies, though, the risks and headaches of private clouds are turning out to be more than worth it.