VMblog.com

It is possible, however, to cut this debate in a different way if you look at it not from an IT perspective, but from the point of view of the end user of an application. That end user often has similar expectations from a “public” and a “private” cloud solution.

Let’s take a business case and analyze it from a security point of view – this is the most direct way of bringing out the argument. Suppose you are creating an application for your users which manages sensitive information. Further assume your users are not internal to your own organization.

That latter point is central. If your users are completely internal to your own organization, especially if they are pure IT users or are localized (your organization is not too far-flung), chances are you have no business reason to go to a public cloud at all, and even a private cloud may be just a fun technology play for you. In other words, if your users are completely internal and/or a tight-knit group, doing a “cloud” approach is a matter of technology fashion and not a business need.

So, let’s go back to the business case we outlined, where your users are not internal. As a consequence, your users will not care whether you have implemented your solution on a third party vendor’s cloud or on your own private cloud. The users will have many of the same security expectations, and meeting these expectations may involve many of the same technologies.

Security is touted as one of the main differentiators between private and public clouds. As more users express the same expectations from both, we will see a more mature discussion emerge in 2013. Private clouds will certainly leverage existing investments in the data center, and offer more direct control to the service provider; public clouds will offer economies of scale. But both kinds of provider will find that they have similar security conversations with their customers.

For example, sensitive information in the cloud should always be encrypted. Your users will not need to understand the technological details, but they will need to know that – at the end of the day – you have provided maximum security for their data, so much so that it is private even to you. This can be achieved today with cutting edge technologies, such as Homomorphic Key Encryption and Split Key Encryption. While users need not understand the details of these technologies, they will appreciate the result: A guarantee from you, their supplier, that you can never read their data; and that they have full control of their data through a simple “master key” that is never exposed in the cloud or to anyone but the user.

In another example, let’s address concerns about physical access. Your users want a guarantee that physical access is tightly controlled to the servers that deliver the application with their data. Whether you control physical access yourself, or farm it out to a third party who has controls you trust, is up to you. Your users will – in both cases – want the guarantee from you, and it is up to you to decide whether you achieve this directly or through outsourcing and contractual obligations.

Such attitudes among the users – the people that count – mean that the differences between public and private clouds are not all what they are hyped to be. This is affecting the market – user perceptions are affecting supplier perceptions. More and more shops understand that the security questions that matter most will come up whether you label your solution as private or public. In 2013 we will see this view becoming commonplace, and users in both scenarios  will be shopping around for solutions to similar security issues.

The post Private and Public Clouds will be, in many ways, the same in 2013 appeared first on Porticor Cloud Security.