Technology providers frequently talk about the public cloud and the private cloud. If you’re not quite sure what those terms mean, you’re not alone. In our annual banking priorities survey, the majority (58%) of bankers admitted that they didn’t know enough about the public cloud to decide whether it was worth the investment.
To better understand the cloud and its public and private distinctions, consider this popular meme: “There is no cloud. It’s just someone else’s computer.” In other words, the cloud is just computing resources housed offsite, managed by a third party and accessed via the internet. How and for whom they are managed basically determines whether it’s a public cloud or a private cloud.
That’s the simple explanation, but your institution needs more detail than that before it can make the decision to rely on a third-party cloud provider to hold its sensitive data or perform its business functions.
Making Sense of the Public Cloud
You already use the public cloud whether you realize it or not. Think Zoom during the day and Netflix at night. Beyond that, most Software-as-a-Service (SaaS) sits in the public cloud. For example, many users now access Microsoft Word, Excel and PowerPoint through Microsoft 365. Instead of downloading these applications to individual computers, subscribers simply go to them from any device via the internet.
The SaaS provider owns and manages everything about the service (the hardware, network, storage and virtualization) and makes it available to anyone who wants it. That’s why it’s called public. Importantly, though, each user’s data is kept separate and apart from other users, unless they choose to share it.
Another public cloud offering is Platform-as-a-Service (PaaS), whereby a third party offers and manages a platform on which subscribers can build and run their own business applications. Infrastructure-as-a-Service (IaaS) is yet another public cloud option, where the third party hosts and manages all fundamental business computing, networking and storage, which users can access on demand.
Some of the most well-known providers of PaaS and IaaS are Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Benefits of Public Cloud Computing
At its core, public cloud computing democratizes the internet because providers operate at significant economies of scale. This creates several benefits for users of public cloud services:
- Enhanced security and compliance: Public cloud providers have the wherewithal and the incentive (customer satisfaction and company reputation) to invest in the talent and technology needed for more secure and compliant environments. As a result, Gartner says, “there have been very few security breaches in the public cloud—most breaches continue to involve on-premises data center environments.”
- Unlimited scalability: Public cloud providers host some of the largest IT environments in the world, so organizations don’t have to worry about being hemmed in by obstacles associated with non-cloud technology. When you’re ready to grow, the capacity is already available to you without a major capital investment.
- Usage flexibility: Some organizations need to scale up and down by the season, in certain geographic areas or for other reasons. With public cloud computing services, company usage can ebb and flow as needed without negative consequences if it’s within the organization’s own internet bandwidth.
- Low maintenance: Because the third-party provider owns and administers the technology, it’s responsible for dealing with its fixes or failures. This takes the pressure off your IT resources, allowing you to more strategically allocate them to focus on your core business.
- Minimal equipment needs: You don’t need to worry about high-dollar, resource-intensive server or networking equipment replacement projects because that falls to the public cloud provider.
- Built-in redundancy: With public cloud services, you have the option to automatically back up applications and data, ensuring that data is not lost.
- Work portability: You can access public cloud services via the devices you designate, any time, from anywhere, which can support whatever workforce environment you need at any given time: on-site, full remote or hybrid.
- Business continuity: When something interrupts a particular employee, site or geographic area’s work capability, that function can easily resume elsewhere without any downtime to staff or customers.
- High reliability: Due to their vast network of data centers, public cloud providers have built-in redundancy and don’t often experience downtime. And in most cases, expected uptime levels are included in service level agreements.
- Price flexibility: Because their resources are available for a vast pool of users, public cloud computing services tend to be less expensive. Moreover, organizations used to pay upfront for their expected storage and computer needs, which left investments unused for years. But now with pay-per-usage models, you only pay for what you use, meaning every dollar spent goes toward furthering today’s business goals.
Critical Considerations for Public Cloud Services
There are some possible downsides to moving some or all of your systems to the public cloud. Here are the biggest risks to consider and determine if you can adequately mitigate them:
- Data location: As part of vendor due diligence, institutions should find out where their data will reside before migrating it to a public cloud provider’s data centers. In particular, find out if your data would remain in the U.S. If not, your institution could be subject to foreign privacy and cybersecurity regulations that require additional compliance efforts.
- Migration: For logistical, redundancy, security and other reasons, moving to the public cloud doesn’t happen overnight. Depending on the size of your institution and what you’re moving to the public cloud environment, you’ll need to factor in things like potential downtime during the transition, employee training requirements and the overall time to complete the transition.
- Backups and data recovery: Although public cloud services generally feature automatic backups, institutions should have a clear understanding of a provider’s backup policy and procedures, along with your accessibility rights, before entering into any contract. In addition, your disaster recovery plan should be updated in reference to the data backup and accessibility roles, responsibilities and privileges associated with any cloud migration.
- Connectivity: Cloud services can be accessed no matter where the user is located or what device they’re using, but they still need the internet for that access. Institutions need to understand this potential risk and develop a backup plan in case of internet outages and connectivity issues, especially for mission-critical functions.
- Security: Providers can change configurations as they see fit, so your institution needs to be prepared to regularly monitor and review such changes to ensure your security needs are met.
- Data ownership: Institutions also need to understand who owns their data once it’s stored in the cloud on someone else’s servers. This should be discussed and delineated in your service level agreements.
Defining the Private Cloud
Private cloud services reside on the other end of the spectrum. Rather than being available to any and all subscribers, providers limit access to one or more specific organizations. In some cases, the third-party only hosts the data center for the customer to own and operate the private cloud themselves. In others, the provider offers managed services to own and operate the environment for the customer.
Benefits of Private Cloud Computing
As with the public cloud, private cloud services come with several upsides:
- Location control: The customer knows the exact location of its services and data because most service level agreements delineate a set list of primary and secondary locations.
- Scalability: Private cloud options generally offer more growth capacity than on-premises, legacy environments. The full extent of that capacity depends on the provider’s space and ability limitations, or more often on the customer’s budget constraints.
- Low maintenance: Like public cloud services, private cloud ones remove the need for hardware refreshes or larger scale equipment replacements because that is the provider’s responsibility.
- Migrations: Some private cloud transitions occur more easily or quickly than public cloud migrations, although that is not guaranteed.
- Reliability: When moving from an on-premises, legacy system to a private cloud environment, institutions gain more power redundancies and other environmental controls, which providers guarantee through their service level agreements.
Critical Considerations for Private Cloud Services
Likewise, there are risks to consider, including:
- Exit strategy: Choosing to leave the private cloud environment requires a full migration. As InfoWorld explains, there’s not an easy or direct “A-to-A mapping of the cloud services from your private cloud to the public clouds.”
- Price: Private cloud services can be more expensive than the public cloud, especially for dedicated resources.
- Shared servers: Data resources may be shared by multiple customers, so data privacy and separations need to be addressed in your service level agreements.
- Data ownership: Similar to the public cloud, when you’re storing your data on someone else’s computers, you need to clarify who owns the data once it moves to the private cloud.
Take a Risk-Based Approach to Your Cloud Decisions
When it comes to migrating your institution to a public or private cloud environment or even a combination of the two (hybrid cloud), it helps to understand the key differences and the pros and cons of each. This allows you to make a risk-based decision that is best in your particular circumstances.
Rachael Schwartz has more than nine years of experience in advising financial firms. Prior to joining CSI, she worked with some of the largest hedge funds and private equity funds in New York City as an IT and cybersecurity consultant. In her current role at CSI, she lends her expertise to community banks, helping them maximize their technology investments and increase security while reducing their operational burdens.