In general, Cloud computing can be said to offer the same benefits to an organisation; cost-efficiency, flexibility and reliability.
As budgets in the Public Sector have been heavily cut over nearly a decade of austerity, Cloud technology offers Public Sector organisations the opportunity to identify and deliver structural cost savings while also working more efficiently and flexibly to sustain and improve services for citizens.
However, when choosing the best method of Cloud deployment for a Public Sector organisation, the primary concern is usually security. It is this concern that leads organisations considering a transition to the Cloud, to opt for ‘Private’ Cloud over ‘Public’ Cloud.
There are disputes about where Public Cloud ends and Private Cloud begins. Clear definitions are important when seeking to discuss the expectations, features and limitations of these services, which will have implications for organisations around policy, strategy, cost and obligations around data protection.
For the purposes of clarity, this article will use the terms Public Cloud, Private Cloud and Hybrid Cloud in the following ways:
Public Cloud is a computing service provided by a third-party to organisations through the internet, meaning the resources used by the customer are owned, maintained and operated by the cloud service provider. As a result, no significant up-front outlay is required from the customer, while energy, maintenance and storage costs going forward are significantly reduced.
Though there are Public Cloud services that are free for customers, businesses often pay for Public Cloud services but only as much as they use. This means they are not buying, powering and maintaining servers on-premise which are under-utilised, making the service a flexible and cost-effective one.
The hardware and general infrastructure of the Public Cloud service is shared with other organisations, with everyone’s data held in their own virtual instances, but on the same hardware, off site. This has created a debate around how secure Public Cloud is, and while we will explore this in more detail later in the article, many Public Cloud services possess industry leading security accreditations and hold sensitive data for a variety of industries.
Private Cloud is a computing service delivered through a connection to a secure and independent Cloud environment, which dedicates its resources for the use of one organisation only.
The Cloud environment’s physical infrastructure can be located on-premise or hosted off-site by a Private Cloud service or datacentre provider. For businesses who emphasise security as top priority, access to the Private Cloud would not usually be provisioned through a secure and private connection, such as Microsoft Express Route, and would rely on VPN or MPLS connectivity.
As Private Cloud is exclusive to one organisation, there is freedom to customise and control the environment for specific business needs. However, with this exclusivity and independence comes overall responsibility for all associated costs, maintenance and security, particularly if you are planning to build your own Private Cloud network on premise.
To be completely sure that you have a Private Cloud service and ensure that none of your data is stored or transmitted alongside those of another organisation, it would be necessary to host your Private Cloud on-premise or in a datacentre environment where you had your own dedicated rackspace and have complete control over the infrastructure, software and configuration. However, this comes with significant associated costs when contrasted with Public Cloud, both up-front and going forward.
Hybrid Cloud is where an organisation combines Public and Private Cloud services by sharing data, applications and computing power between the two environments.
As a result, an organisation may use on-premise Private Cloud infrastructure for the bulk of their needs and scale up their service by utilising the power of the Public Cloud for non-sensitive data and operations while retaining sensitive data and business critical applications on-premise and behind the company firewall.
Hybrid Cloud therefore offers a greater degree of flexibility, with the decision between Private or Public Cloud effectively sidestepped. In doing so, an organisation can have the peace of mind, customisation and control of a Private Cloud environment, alongside the scalability and flexibility of Public Cloud to supplement their needs as and when it suits them.
To have a Hybrid Cloud, it still requires a Private Cloud platform to be sourced, or legacy infrastructure to be maintained, which can negate the flexibility and lower costs of the Public Cloud you also procure as part of this model.
While the Cloud is spoken of as offering general advantages of flexibility, cost-efficiency and security for an organisation, the model of Cloud computing that is configured and deployed within an organisation and the benefits experienced will ultimately depend upon their requirements, priorities and circumstances.
While the Cloud offers an array of options and features, there are three general considerations that are important when organisations consider moving to the Cloud…
Whether an organisation chooses to pursue Private, Public or Hybrid Cloud, the service will increase flexibility in the way computing services are paid for and consumed.
Public Cloud services such as Azure or Office 365 are highly flexible, offering the freedom to scale up or down depending upon your needs, with predictable monthly payments based on usage. If you find yourself in need of more computing power or storage, you can simply make use of the near unlimited space of the Public Cloud and increase your monthly payments accordingly, without paying for the infrastructure up front or the associated costs of having servers on-premise.
A limitation of Public Cloud is that, by not owning any of the hardware and sharing the Public Cloud with other organisations, some freedoms to customise the Cloud environment are not available. Private Cloud offers the option for full adjustment and customisation of the service, including security, with the responsibility on internal staff to test and maintain the service having additional cost implications.
If you host a Private Cloud platform on-premise, you are in complete control of the security and features around your Cloud platform. You also carry 100% of the risk. However, this places a limit on the available storage and power you can consume, all the while covering the costs of purchasing, maintaining and powering servers which may not be in use yet. Careful planning is therefore required to ensure sufficient space and power is available, while minimising over-expenditure on un-used infrastructure.
Through the Hybrid Cloud model, Private Cloud infrastructure can be supplemented with Public Cloud resources during peaks in IT demand, known as ‘Cloud bursting’. This model offsets certain risks associated with interruptions in service and over-expenditure on infrastructure, with Public Cloud resources off-site and scalable depending on how much is being used.
The hybrid solution combines the flexibility of a Private Cloud network that can be controlled and customised by your organisation, alongside the option to utilise Public Cloud for data and applications that pose fewer security concerns. An organisation could also utilise Public Cloud in a Hybrid model for periodic instances where increased storage or processing power is required, paying only for the amount used.
Though all Cloud Platforms offer flexibility in some form, the Cloud option you choose to adopt will have significant cost implications for your organisation.
The up-front time and money that is required to build a Private Cloud is significant, especially when contrasted with the limited up-front cost that is required to adopt a Public Cloud service. There are also licensing cost implications for organisations seeking to operate a Private Cloud, which is essential to enable a connection to off-site users and the outside world.
With Public Cloud infrastructure being located in remote sites maintained and operated by the supplier, there are no up-front costs for infrastructure incurred by your organisation. Furthermore, long-term costs are reduced as the physical space at your offices that would have been taken up by servers is no longer required, potentially lowering property costs. The energy that is required to power on-premise servers also represents a significant saving, while the cost of maintaining and replacing equipment and infrastructure is also covered by the Cloud service provider.
Organisations may possess existing infrastructure which can help to reduce the costs of building a Private Cloud network. However, while short term costs may be lower if existing infrastructure can be used, the skills and time needed to build a private cloud network will still be a significantly time consuming and costly investment. The storage, powering, maintaining and replacing infrastructure will fall on internal budgets and personnel.
A significant consideration for Private Cloud is the cost of staffing a team capable of building and maintaining a Private Cloud platform to similar standards as a Public Cloud platform such as Azure or Office 365. This would be a significant and recurring cost, exacerbated by the risk of employee absence, departure and the responsibility of finding replacements to ensure performance, security and capacity of your Private Cloud service would not suffer.
Furthermore, if your organisation is to store back-up copies of data in the Private Cloud network on-premise, this means you are effectively doubling costs associated with storage and equipment. Depending upon where the back-up data servers are located, there may be additional costs required for a separate location which will require physical security.
Depending on the size of your organisation, the nature of the data you hold and the security you require, you may wish to only permit access to your Private Cloud through secure connections from authorised networks. If approved users require off-site access, your Private Cloud will require high speed connectivity to ensure that access is convenient and performance does not suffer. This can be a significant investment and once again, as it is part of your Private Cloud network, responsibility for materials, sufficient bandwidth, maintenance and replacements will fall upon your organisation.
It is possible to isolate server space within a Public Cloud infrastructure, which helps to improve the security around data by isolating it from other organisations data, rather than the conventional Public Cloud method of data being stored in the same servers alongside other organisations data. This does have cost implications and rather than paying for what you use, you are instead paying for a certain amount of server infrastructure whether you use it or not.
There is also the option to purchase Private Cloud services from an external provider, who can manage it on your behalf. This negates the need for costly infrastructure on-premise and associated costs of powering and maintaining this equipment. However, Private Cloud incurs a higher cost and reduced flexibility when compared to Public Cloud. Furthermore, there will not be the freedom to customise and control the Private Cloud service, while the servers will not be located on-premise and behind your own company’s firewall.
For organisations whose interest in Private Cloud is not based on ownership of the platform or a desire to host the data on-premise, but rather preventing their data being stored in the same servers as other organisations, this could be a useful option. Of course, levels of services and accreditations do vary depending on provider, while there is a debate as to whether a Private Cloud supplier is an essential expenditure, given the excellent security accreditations held by Public Cloud services like Office 365 and Azure.
From a Public Sector perspective, the choice between Public and Private Cloud usually revolves around questions of security. Balancing security with cost and flexibility is a challenge that organisations from all sectors encounter.
In the Public Sector, many organisations initially gravitate towards a Private Cloud platform as their preferred option, as they are deemed more secure. This is due to the nature of Public Cloud being a service that is shared with other organisations and where hackers are constantly trying to penetrate. Ownership of the Cloud platform also means control over customisation and security methods and governance, though this does come at a cost and is not without some debate.
While Public Cloud does not offer the control and exclusivity of Private Cloud, it does provide access to the expertise and dedicated support of professionals whose sole responsibility and vocation is the function, security and integrity of the Cloud service.
This is included in the cost of a monthly Public Cloud subscription and does not require your organisation to source, pay and replace professionals with these skills on a recurring basis, which is a significant cost and flexibility consideration.
Furthermore, Public Cloud service providers can dedicate significant financial resources to the latest security measures and regular updates, while penetration testing is more frequently done on Public Cloud platforms than a typical Private Cloud.
We have seen how adopting Public Cloud service provider means an organisation is also foregoing the responsibility to buy, store, power, maintain, secure and replace the hardware. However, they are also outsourcing another key consideration along with it; Risk.
Organisations with Private Cloud on premise own 100% of the risk, whereas with Public Cloud all the risks related to the infrastructure and physical attacks are the responsibility of the public could provider. An organisation with Public Cloud would still have to develop the right policies and processes to secure the tenancy, but there is no liability for updates, patches, firewalls, physical hardware or building security, which are the most expensive and time sensitive considerations.
In the case of Microsoft, over $1 billion every year is spent on cyber-security, while their data centres are spread across multiple locations and access is subject to strict security procedures. The presence of multiple data centres means that should a server or location be hacked or power fail, a separate server in a different location can provide back up access to your data in a short space of time, minimising down time.
Most organisations internal IT resources can’t rival the expertise and investment of companies who provide Cloud services as a business, so the security around it is likely to be less sophisticated and tested less frequently for vulnerabilities than a Public Cloud service. Furthermore, Public Cloud providers are fully aware of the threat they face and their business depends upon their ability to build and preserve a reputation by investing in their product and protecting the data they are entrusted with.
Public Cloud services such as Office 365 and Azure are built to integrate with applications and features that users already trust, including Windows 10, Active Directory, SQL Server, Hyper-V and more.
How one weighs the risks is a matter for your organisation, however Public Cloud platforms like Azure have some of the most sophisticated security available and have been awarded accreditations highly relevant to the Public Sector.
Microsoft Azure and Office 365 are both ISB1596 compliant, which allows users to send and store sensitive information within this Cloud environment without violating data protection and security guidelines. This accreditation is relevant to the Health and Social Care industry, as ISB1596 indicates adherence to information governance policies and principles to securely store and manage personal and sensitive patient data. Microsoft Cloud services are also certified ISO 27001, demonstrating their dedication to best practices against international standards of information security and governance.
This level of compliance is significant enough for NHS England to have approved the Azure and Office 365 platforms to store and process Patient Record data, which until this has been one of the main challenges for the NHS specifically in adopting Public Cloud solutions.
In the case of Hybrid Cloud, you can host basic or less sensitive data and applications in Public Cloud, reserving Private Cloud resources for business-critical and sensitive data. Further extensions can be added to the hybrid service to ensure no data passes through public internet and instead runs through a secure, private and reliable connection, increasing speeds and reducing latencies in connection to both Public and Private Cloud platforms.
Key to the decision of moving to the Cloud is how one balances the essential flexibility and cost-efficiencies available, with the responsibilities and obligations an organisation has to secure data that it has been entrusted with.
The Public Sector has statutory obligations and restrictions regarding which Cloud services they can adopt, or the standards to which they must build and maintain their own Private Cloud service on-premise.
Private Cloud on-premise is a more costly and restrictive service than Public Cloud but has been considered more secure due to the location of the servers being behind the organisations firewall and servers not being shared with other organisations, as is the case with Public Cloud.
However, Public Cloud services are maintained and tested by professionals who are concerned only with the security and integrity of the Cloud environment, while the range of security accreditations that Public Cloud services such as Office 365 and Azure hold demonstrates their excellent security standing.
For organisations with limited resources and capability to attract and pay the same volume of experts to focus on solely on maintaining and securing their own Private Cloud platform, Public Cloud may represent a more sensible choice all-round.
Most organisations could not dedicate the time or resources to securing their Private Cloud network as Public Cloud service providers can dedicate. Though Public Cloud services pool data from various organisations together in their servers, there is no specific security reason that should prevent most Public Sector organisations for opting for a Public Cloud that meets their statutory and security obligations, particularly given the financial implications of building and maintaining a Private Cloud.
Hybrid Cloud provides an element of compromise and is a common model for organisations to adopt, providing the control over key elements of security that some organisations desire, while also providing the flexible and scalable and cost effective Public Cloud environment to hold non-sensitive data or non-essential business applications.
Core are a highly accredited Microsoft Gold Partner providing managed and professional technology services, working with our customers to deliver structural cost savings while meeting the demands for an improved, secure and future proof service.
Our range of industry accreditations demonstrates high standards across a range of technical areas and industry verticals, while as an SME we are an accessible and highly agile organisation, possessing significant in house expertise and innovation that Public Sector organisations continue to benefit from.
Whether you have already moved to the Cloud or are considering moving to the Cloud in the future, Core possess industry-leading expertise and solutions to help you identify, implement and adopt the right solution for your organisation, delivering sustainable, secure and effective change across all areas of business operations.