Professional Documents
Culture Documents
Research Paper
Public Cloud Computing vs. Private Cloud Computing:
How Security Matters
Delvis Simmonds
Alli Wahab
Cameron University
IT Capstone
Dr. Diaz Gomez
April 27, 2012
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 2
Table of Contents
Abstract ......................................................................................................................3
Introduction……………………………………………………………………………………………………………….3
The growth of Cloud Computing ..................................................................................5
Public Cloud Security Issues ................................................................................................................................7
Private Cloud Computing ............................................................................................9
Private Cloud Security Issues ..............................................................................................................................9
Concise comparison .................................................................................................. 10
Conclusions & Future Work ....................................................................................... 11
Bibliography ............................................................................................................. 12
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 3
Abstract
Cloud computing has promised to enhance efficiency, flexibility, greater agility,
less capital expenditure and to overcome geographic limitations to compete in a global
market. If adopted and implemented, businesses would require not only new
architectures, but also new ways to procure IT services. More and more companies are
shifting to Cloud based services, but at the same time they are concerned about the
security risks. One thing that is really unclear to many is the understanding of what a
Cloud really is. Hopefully after the definitions and illustrations of Cloud computing are
given you will understand it better. Much attention will be given to public and private
Cloud computing issues; as more businesses today utilize Cloud services and
architectures, more threats and concerns arise.
Introduction
Cloud computing represents a major change in how we store digital information
and run computer applications hosted in the “Cloud” (Miller, 2009). While still a
buzzword, the Cloud seems to be confusing, and the concept tends to evoke multiple
responses (Vorro, 2011). There are many definitions of Cloud computing, but they all
focus on certain characteristics of it. The several definitions stem from the three main
categories of Cloud computing which are Infrastructure-as-a-Service (IaaS), Platform-as-
a-Service (PaaS), and Software-as-a-Service (SaaS).
Furthermore, Cloud security is also a broad term and is of major concern. The
security challenges Cloud computing presents are formidable, including those faced by
public Cloud whose infrastructure and computational resources are owned and
operated by an outside party that delivers services to the general public via a multi-
tenant platform and for the private Cloud which is hosted on-premise, scales “only” into
the hundreds or perhaps thousands of nodes, connected primarily to the using
organization through private network links. Security concerns such as secure data
transfer, secure software interfaces, secure stored data, user access control and data
separation must be considered before moving to the Cloud (Beckham, 2011).
Attempting to address security and privacy issues after implementation and
deployment is not only much more difficult and expensive, but also exposes the
organization to unnecessary risk (Julie, 2011). As a result, many companies remain
skeptical about entrusting their data and computing tasks to outside vendors including
Microsoft, IBM Smart Cloud, and Google. Every trade publication and analyst firm has
done a survey of CIOs regarding Cloud adoption. Results showed that security was the
top reason why CIOs are not too anxious about adapting to the Cloud (see Figure 1).
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 4
Figure 1: The results in the graph above are gathered from a survey of CIOs,
organizations and IT professionals, which was carried out by the International Data
Corporation (IDC) in 2009. On a whole, the results have been quite steady up until now.
The highest challenge/issue related to the Cloud is security. Security is not the only
concern. Issues such as cost, availability, performance, and standardization are also very
high considerations.
This research paper will provide a definition of Cloud computing, the security
issues related to public and private Cloud computing, and give a concise comparison of
both models, focusing more on the security issues.
The definition mostly used today is the one expressed by the National Institute of
Standards and Technology (NIST), which states: “a model for enabling convenient, on-
demand network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction” (Grance, T.,
Mell, P., 2009).
The NIST’s definition is much more detailed, and will be the one referenced to in this
paper.
Cloud computing is available in several service models. Each model has different
levels of responsibility for security management. See Figure 2 below for a depiction of
these service models.
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 5
Figure 2: Cloud computing models. Taken from (Buecker, Lodewijkx, Moss, Skapinetz,
Waidner, 2009).
global leader in assurance, tax, transaction and advisory services (see Figure 2).
Previous Work
The interesting debate of public Clouds vs. private Clouds has resulted in other
research. In an article by Beth Schultz entitled “Public Cloud vs. private Cloud” 76% of
IT-decision-makers would focus initially on the private Cloud, but private Clouds may
not always be the best solution. The better approach is to evaluate specific applications,
security and compliance considerations and then decide what is more appropriate for a
private Cloud and what is more appropriate for a public Cloud. The size and type of the
company are huge factors in the decision making process; if you are at a smaller
company and don’t have a huge data center, then a public Cloud service will be
acceptable. Whereas, if you are at a larger company which requires mission-critical
applications or data, then it would not be wise to place the more important stuff on a
public Cloud (Schultz, B. 2011). Microsoft TechNet has done some research and
documentation on the security issues in public and private Clouds, reminding us not to
ignore security, even when the CSP appears to control the entire stack (Microsoft
TechNet (1), 2012). Whether the choice is a private Cloud or public Cloud the security of
your data will be very important in both cases. Cloud computing is only as secure and
reliable as the Cloud vendor providing the service, whether it is you or a third-party
(Joyent, 2012).
Internet as needed. On the other hand, Private Cloud computing reassures the
organization that their information and processes are more secure since everything is
managed internally. Hybrid Cloud computing is a combination of both private and public
services. Hybrid Cloud computing is another extensive topic; therefore this paper will not
discuss it.
your data and many others’ in danger. A perfect example is Sony’s data
breaches in 2011. Sony faced customer relation fallouts, and lawsuits over its
failure (Schwartz. M, 2011).
Data Loss
Cross-tenant data leakage
- vulnerabilities of shared network infrastructure components, such
as vulnerabilities in a DNS server, Dynamic Host Configuration Protocol, and IP protocol
vulnerabilities, might enable network-based cross-tenant attacks in an IaaS infrastructure
(Pfleeger, Irvine, Kwon, 2012).
• Security Zones
- Resources of different types and sensitivity levels should be located in
separate security zones (Stawowski, M., 2007).
Based on previous studies and the definition of a private Cloud, private Clouds
will immediately seem to be more secure than public Clouds because of how the
infrastructure is designed. It gives the organization more control over their policies and
security. According to NIST, the internal private Cloud is more suitable deployment
models that offer an organization greater oversight and authority over security and
privacy, and better limit the types of tenants that share platform resources, reducing
exposure in the event of a failure or configuration error in a control.
Private Clouds typically would suffer from perimeter complacency; thinking that
because it is on the internal network, it must be secure; the Internet and viruses are still
present. So, caution and security standards should not be lowered just because it is private
(Bloomberg, 2012). Moreover, the private Cloud requires that to have total control over
all layers of the stack, which includes any traditional network perimeter security you
might want to have in place. In a private Cloud model, the Cloud services are not
typically exposed to the general Internet users and remote access to private Cloud hosted
resources is enabled through mechanisms used in traditional data centers. Private Cloud
computing typically uses virtualization technologies to increase hardware utilization and
to abstract compute, memory, network, and storage component from Private Cloud
consumers (Thomas, 2011). See Table 1 below for a concise comparison of public
Clouds and private Clouds.
Concise comparison
Table 1: A concise comparison of public and private Clouds.
Public Cloud Private Cloud
Low investment hurdle High investment hurdle
Negative loss and control over data IT organization retains control over data
Higher risk of multi-tenancy data transfer Fewer security concerns
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 11
Bibliography
Beckham, J. (2011) The Top 5 Security Risks of Cloud Computing. Retrieved February17,
2012 from http://blogs.cisco.com/smallbusiness/the-top-5-security-risks-of-cloud-
computing/
Bitpipe. (2012) What is driving hybrid cloud computing? Differences explained: Private
vs. public vs. hybrid cloud computing. Retrieved April 13, 2012 from
http://docs.media.bitpipe.com/io_10x/io_100433/item_419065/HPIntel_sCloudCo
mputing_SO%23034437_E-Guide_052611.pdf
Bloomberg, J. (2012) Why Public Clouds are More Secure than Private Clouds.
Retrieved March 2, 2012 from http://www.zapthink.com/2012/02/07/why-public-
clouds-are-more-secure-than-private-clouds/
Buecker. A., Lodewijkx. K., Moss. H., Skapinetz. K., & Waidner. M. (2009). Cloud
Security Guidance. IBM Recommendations for the Implementation of Cloud
Security. Cloud security: the grand challenge. Retrieved April 16, 2012 from
http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf
Ernst and Young (2011). Into the cloud, out of the fog. Retrieved April 13, 2012 from
http://www.ey.com/GL/en/Services/Advisory/2011-Global-Information-Security-
Survey---Seeing-through-the-cloud
Gens, F. (2009) New IDC IT Cloud Services Survey: Top Benefits and Challenges.
Retrieved March 16, 2012 from http://blogs.idc.com/ie/?p=730
Grance, T., Mell, P. (2009) The NIST Definition of Cloud Computing. Retrieved March
15, 2012 from http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf
Joyent (2012) Security in Public and Private Cloud Infrastructures. Retrieved March 15,
2012 from http://www.joyent.com/documents/Joyent-Security-in-Public-and-
Private-Cloud-Infrastructures-White-Paper.pdf
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 13
Joe (2011) Are Private Cloud really more secure than Public Cloud? Retrieved April 1,
2012 from http://www.smartplanet.com/blog/business-brains/are-8216private-
clouds-really-more-secure-than-public-clouds/13583
Microsoft TechNet (1), 2012. Security Issues in the Public Cloud. Retrieved April 13,
2012 from http://social.technet.microsoft.com/wiki/contents/articles/security-
issues-in-the-public-cloud.aspx
Microsoft TechNet (2), 2012. Security Issues in the Private Cloud. Retrieved April 13,
2012 from http://social.technet.microsoft.com/wiki/contents/articles/security-
issues-in-the-private-cloud.aspx
Miller, M. (2009) Understanding Cloud Computing. Retrieved February 17, 2012 from
http://www.informit.com/articles/article.aspx?p=1321170
Pfleeger. L. S., Irvine. C., Kwon. M. (2012). "Guest Editors' Introduction," IEEE Security
and Privacy, vol. 10, no. 2, pp. 19-23. Retrieved March-April 2012
SAS 70 (2012). Introduction to SAS 70 Type II Audit. Retrieved April 16, 2012 from
http://www.sas70exam.com/services/type-ii-sas-70-audit/
Schultz, B. (2011). Public cloud vs. private cloud: Why not both?. Retrieved March 14,
2012 from http://www.networkworld.com/supp/2011/enterprise2/040411-ecs-
cloud.html?page=1
Thomas (2011). Security issues in the Private Cloud. Retrieved April 1, 2012 from
http://social.technet.microsoft.com/wiki/contents/articles/security-issues-in-the-
private-cloud.aspx
Public Cloud Computing vs. Private Cloud Computing: How Security Matters 14
Vaquero, L., Rodero-Merino, L., Caceres, J., Linder, M. (2009). A Break in the Clouds:
Towards a Cloud Definition. Retrieved February 15, 2012 from
http://ccr.sigcomm.org/online/files/p50-v39n1l-vaqueroA.pdf
Vorro, A. (2011) Clearing away cloud computing confusion. Retrieved February 17,
2012 from http://www.insidecounsel.com/2011/11/01/clearing-away-cloud-
computing-confusion