The terms Private Cloud, Hybrid Cloud and Public Cloud are by now very familiar to all of us. We have often heard CTOs of the global enterprise speak in suspicious terms of public cloud and the security thereof, extolling the virtue of their home-built private clouds. But now we see in some recent data the growth of ”private clouds” stagnating while the growth of public cloud exploding, as most enterprises are at least running hybrid cloud environments of some type. But few ever really asked what exactly is meant by the term “Private Cloud” and why it merits spending so much money to re-create and self-manage what AWS and others have already offered at a very low relative cost.
To answer this question let’s start with the generally accepted general definition of cloud computing put forward by the National Institute for Standards in Technology (“NIST”). According to NIST cloud computing has the following 5 characteristics:
1. On demand self service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service
Most every definition of the term, “private cloud”, refers to a computing infrastructure that provides the 5 capabilities above to a limited number of people behind a firewall. Reasons most often given for adopting a “private cloud” center around security and control.
What is surprising to me is that the term “private cloud” has continued to mean “self-hosted cloud” or at least “self-managed cloud” at a time when AWS has solved the problems for which private clouds were conceived. The sad thing is that AWS solved these problems in 2009 with the roll out of VPC (Virtual Private Cloud)—well before most private clouds were constructed. As CTO’s mature in their thinking, more and more we are seeing a focus on capability and benefit rather than physical location when it comes to cloud planning. So I’d like to point out 5 capabilities of a private cloud on AWS that you may not have been aware of and ask what else could a self-hosted private cloud provide?
1. More robust firewall capabilities than most enterprises use for their self-managed clouds
With the advent of VPC, AWS customers can maintain all of their cloud resources within a secure and private network space (almost like a VLAN), in which all of the tools of network security are provided—including subnets, routing tables, NACLs, security groups etc. A network administrator can get so granular in controlling internal traffic as to place firewalls around specific virtual machines. Even the Simple Storage Solution (S3), which has the capability to be public facing, can be protected by robust policy-based firewalls at the object level. If you want your cloud behind a firewall, you cannot buy better firewall capability than AWS provides, and the best news is that it’s all free. To the extent you are on AWS there is no more expensive networking equipment to purchase, and even the most budget conscious company can enjoy the highest level of capability. For a detailed overview of capabilities look here.
2. Dedicated Hardware
Yes, that’s right. I said dedicated hardware. For a relatively small fee you can specify that no other customer’s AMI (Amazon speak for virtual machine) may run on the same physical host with your AMIs. This does not mean you are running bare metal or that your AMIs always run on the same hosts. Rather AWS has developed the logic to ensure that whichever host is running your AMIs is running only your AMIs.
3. You specify the geographic location of your data
Because all of AWSs storage products are region bound it is easy to specify where your data are stored. This is sometimes very important for firms operating in jurisdictions with strict data privacy and offshore data prohibitions.
4. Encryption of Data In Transit and At Rest In Which You Control the Encryption Keys
While AWS offers its own encryption methodology and key management service, customers may elect, if they so choose, to define the method of encryption and manager their own keys. This can be important to firms who fear that a subpoena may be issued to the cloud provider to turn over data to a third party. While AWS vigorously resists complying with these types of demands, if you control your own keys, AWS is also unable to comply with such a subpoena.
5. 99.999999999% durability of data and 99.999% uptime
When considering data security one should consider both privacy (keeping your data out of the hands of the unauthorized) and reliability (making sure your data can get into the hands of those authorized). When you consider that Amazon S3 offers eleven 9’s of durability for your data your realize that this capability far outmatches anything that a self-hosted cloud could provide. Last year AWS also achieved five 9s of availability according to CloudHarmony across its global footprint. Combine with is the most sophisticated high-availability and fault tolerance tool set imaginable and you have a capability that, again, cannot be matched in house.
So ask yourself, 1) Does my self-hosted private cloud really provide a cloud as defined by NIST or have I just established in-house virtualization?, 2) Do I also have these 5 capabilities and how much do they cost compared to AWS?, and 3) Is there any other capability that my self-hosted private cloud can provide me than an AWS based private cloud can’t provide? For most informed CTOs the answers lead to AWS, but I’m not saying every company can go completely to Amazon. If your commitment to uncloudable legacy platforms is heavy, it may be some time before your firm can enjoy all of these capabilities. But that is what you should focus on—capability.
Blue Sentry is an advanced-tier Amazon Web Services (AWS) consulting partner specializing in application and data migrations, expert managed services and virtual desktops. Blue Sentry serves clients globally, with operations in North Carolina and South Carolina.