markrubens - Fotolia


Distinguishing types of cloud services and their security risks

The different type of cloud services -- public, private and hybrid -- all provide different security for enterprises. Here's an explanation of each kind and their security pros and cons.

In the world of technology and security, it's easy to get lost in semantics. The rapid development of technologies means that definitions for terms are always changing, and that's especially true in the cloud services market. The lines between public and private clouds have blurred lately with the rise of colocation, multi-tenancy and virtualized infrastructure. In this tip, let's look at what qualifies as public cloud, private cloud and hybrid cloud, and the security aspects of each of these types of cloud services.

The difference between types of cloud services

There are several major considerations when trying to categorize public, private and hybrid clouds:

  • Physical location: Where do the cloud assets operate? Many organizations have considered private cloud to be within an internal data center owned and operated wholly by its staff, where public clouds are run in a provider's data center. This gets tricky, however, when an organization has cloud assets in a colocation facility. Somewhat related to physical location, a scenario where all assets are owned and maintained by the organization -- regardless of physical location -- may be considered a private cloud instead of a public one.
  • Single or multi-tenancy: Do cloud assets operate on dedicated physical hardware, or are the assets run in a shared resource environment -- usually virtual? Some organizations feel that a private cloud must run on dedicated hardware with no other tenants sharing the disk, memory or CPU.
  • Responsibility: Who is responsible for configuring and maintaining the assets, and to what level in the stack? To some degree, this depends on the cloud service delivery model -- IaaS, PaaS or SaaS -- but many private cloud implementations allow for a greater degree of configuration and control.
  • Degree of access: Some feel that public cloud is available to any potential customer who can sign up online and access the services, where a private cloud is more restricted both in service initiation and later access to resources.
A hybrid cloud likely offers the most flexible approach to security controls implementation.

While there are many ways to define the public and private type of cloud services, most agree that a hybrid cloud exists when some assets are maintained internally, and others are moving into more public cloud environments. This model is becoming much more common as organizations look to migrate certain assets into the cloud to save money and realize certain efficiencies. In fact, this cloud model is often the result of when an organization decides to take its first step into cloud computing -- not realizing that allowing interfaces between internal resources and external clouds creates a hybrid model that warrants specific security measures and analysis.

Security pros and cons

Regardless of how you choose to define the types of cloud services, there are distinct security benefits and drawbacks to each. For the most part, a public cloud service relies primarily on the service provider to build and maintain security controls. This could be an advantage or a disadvantage, depending on your perspective. Some cloud providers have excellent security capabilities, but the lack of control and transparency may be considered a negative for many organizations. There may also be fewer configuration options for security controls -- as well as fewer supported vendor options and products -- in a public cloud.

A private cloud, on the other hand, may afford organizations more control over security options, ranging from network control to monitoring and privilege management. With an on-premises private cloud, where an organization controls the hypervisors and all other components, the organization will be responsible for all security controls and products, though this may also prove to be a drawback for some. As many private cloud implementations are now within public cloud provider environments, this line is blurring rapidly, and many so-called private clouds scarcely differ from public cloud services in security controls available. A hybrid cloud likely offers the most flexible approach to security controls implementation, in that organizations can keep some assets and services in-house, applying tried-and-true controls where they can more carefully manage them, with external cloud services and available controls as well.

For the foreseeable future, most cloud provider environments will offer less direct oversight of security controls than those in-house, regardless of the terminology. For organizations that want or need to maintain many of their existing controls, on-premises private clouds or hybrid options are likely the best choices out of these types of cloud services.

Next Steps

Learn how hybrid cloud architecture types differ from the others.

Find out how to lock down private cloud security.

Discover how to create a secure data backup strategy for private cloud

Dig Deeper on Hybrid and Private Cloud Computing Security