Private vs. public cloud and the compliance conundrum
Private vs. public cloud and the compliance conundrum

With a raft of new regulations impacting multiple industries over the last few months, businesses are having to spend more time than ever thinking about compliance.

GDPR has, of course, been the most widely discussed, but it isn't the only one. Financial services firms have a revamped version of the Markets in Financial Instruments Directive (MiFID II) to respond to, while the UK telco industry is facing the prospect of new legislations being enforced after Brexit.

The threat of financial penalties and reputational damage means organisations simply can't afford to be complacent. However, the complexity of managing compliance in new infrastructure, as well as the effort already involved in ensuring existing systems are ready to go, is prompting many businesses to shy away from public cloud.

Concerns are primarily due to a misconception that public cloud platforms, with data held by third parties on shared systems, will be a more difficult undertaking than traditional in-house systems and potentially less secure.

The truth is actually very different. Public cloud services can often can be a more secure option than in-house systems. So, what exactly is behind this misconception and why should businesses be trusting public cloud services with their compliance needs? 

Staying private

On the face of things, it's easy to see why many people would assume on-premise infrastructure is more secure. In theory, businesses know exactly where their data is being stored and have greater visibility and control over how it is managed.

They can also design the architecture to suit their own specific needs and preferences, as well as reducing the risk of data loss if a public cloud provider goes out of business. 

However, firms would be wise to remember that operating their own private cloud places the responsibility of security and compliance squarely on their shoulders. Businesses are at the mercy of the resilience of their local power grid, potentially leaving them helpless if something goes wrong.

It also leaves them vulnerable to internal data theft. Employees may have easy access to confidential data, sometimes with very little to stop them from simply pulling a disk from a server and leaving the building with it. Often employees can also connect personal USB drives which may contain malware or viruses. Huge faith is placed in the firewall as an effective means of keeping intruders out, yet backdoors may well exist in the form of unsecured modem connections or legacy access control processes.

So just because infrastructure is in your data centre, that doesn't mean it is inherently more secure, resilient or suitable to meet the needs of regulatory compliance than public cloud.

Pushing for public

While some businesses may feel more comfortable knowing their data is being stored within their own walls, data location is only one small aspect of security and compliance.

Along with the provision of innovative new services, it is the job of public cloud providers to protect their customer's data through both physical and virtual means. A central component of their value proposition is the delivery of systems, tools and continuity plans that make their cloud infrastructure safe and secure.

Public cloud providers are also likely to carry out software patching on a more regular basis. Businesses running their own private clouds will generally be slower to patch security gaps, leaving themselves exposed to potential data breaches and compliance holes. The recent Spectre and Meltdown vulnerabilities are great examples of this, with Google, Microsoft and Amazon all patching their systems quickly after the problems became public. Meanwhile, many businesses will still be trying to determine what systems they need to patch and how they go about doing it.

Furthermore, public cloud providers tend to have highly skilled and experienced IT teams, which isn't something that can be said for all businesses amidst a growing skills gap issue. This is causing problems when it comes to addressing technical compliance challenges, which could be solved using third-party infrastructure.

As end users become more sensitive to the security of their personal data, these challenges are only going to grow. In many cases, public cloud can actually be a better option than a private cloud for systems with high security and compliance requirements and can certainly be a less complicated option for businesses.

That's why organisations today, amidst shifting regulatory landscapes, should be embracing them as part of a hybrid cloud offering on their journey to compliance.  

Contributed by Mark Baker, field product manager, Canonical

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Mark Baker, Field Product Manager, Canonical
Mark Baker, Field Product Manager, Canonical
Mark Baker, Field Product Manager, Canonical