There are few remaining uncharted territories on Earth, but the digital age has provided ample opportunities for humans to name new ideas. The internet, the smartphone, and now, the cloud.
Originally explained as “someone else’s computer”, cloud has evolved into a far more complex beast. Like all good tech, cloud should help to enhance our existing capabilities and unlock greater potential. And it can; in this article I'll explore how to identify the right path to cloud for your organisation’s requirements.
I’ll outline:
Current and emergent approaches to cloud computing infrastructure.
The considerations that will determine your organisation’s cloud strategy:
cost,
security,
compliance,
performance and reliability, and
scalability and flexibility.
The approaches to cloud available today
Is a “managed” private cloud the same as a “virtual” private cloud? Does a virtualized environment need to run in the cloud? Here’s the basic break-down, and how each holds up to meeting enterprise standards for cloud infrastructure.
Is a virtualized environment a cloud?
No. Not by itself. Which doesn’t mean it isn’t still valuable - in some cases on-prem virtualization alone may be all you need for a particular workload.
Virtualization allows a single physical computing resource (such as a server, storage device, or network) to be divided into multiple virtual resources. It’s a great way to make efficient use of hardware, and allows for quick failover in the case of hardware failure. When you read comparisons online of “private cloud vs on-prem” the writer is comparing cloud environments to virtualized private infrastructure, given private clouds can also be “on-prem”.
Cloud computing encompasses a broader range of services provided over the internet or private network, including infrastructure, platforms, and cloud software.
The first cloud computing model we’ll explore is public cloud.
Public cloud
Much like a public swimming pool, public clouds are managed and maintained by a third party. And like a public swimming pool, you can pay to access extra features. At a pool, that might be a creche, or a storage locker for your valuables. In the public cloud, this could be services like access to pre-trained AI and machine learning models, or temporary usage of additional compute resources to handle intensive workloads.
A multi-tenant environment
Unlike a public swimming pool, the public cloud can separate your usage from others’ using software-based security controls, so that your data is (ideally) not accessible by anyone else. (If a public pool was to do this, reserving a swimming lane would also need to lower shutters to completely isolate you from swimmers in the lane over!) This separation of data is referred to as multi-tenancy.
While public cloud multi-tenancy doesn’t require physical shutters to slam down to separate users, it does typically add additional challenges for scaling.
Two thirds of the public cloud pie is baked in the USA
Roughly two thirds of public cloud infrastructure is sold by Amazon, Microsoft and Google, all of which are US-based companies. This doesn't necessarily mean that the public cloud infrastructure you access will be physically located in the US, but it does determine who has the legal authority to access it. Companies operating in the US are required to comply with valid legal requests from government authorities. This means if the government presents a lawful request for data, such as a subpoena or a search warrant, the company must comply.
If the data is stored outside the US, international laws and agreements (such as mutual legal assistance treaties) can come into play, complicating the process of data access.
Advantages of the public cloud
Public cloud services can be a useful way to offload the effort of managing cloud infrastructure, with automated updates, maintenance, and scalable resources, all managed by the cloud provider. This is particularly valuable for small businesses that lack the resources to deliver in-house IT services. Though of course, public clouds restrict organisations from fully customizing their infrastructure, as they must adhere to the provider’s predefined configurations and limitations.
Until recently, on-premises private cloud solutions could not offer a comparable level of management simplicity to public cloud.
Private cloud
So, if public cloud is the local shared swimming pool, is private cloud the backyard equivalent?
The answer is: not exactly.
Where public cloud can be divided into the exact kinds of services and cloud software provided by a third party, private cloud can be implemented in multiple ways - and not all of them in your own backyard.
You may have stumbled upon online arguments about private cloud vs on-premises computing in the past. These arguments have come about due to the drifting of the meaning of “private cloud”.
The reason for this is a simple one. “Public cloud” and “private cloud” are (and always have been) marketing terms. And given private cloud is in the current tech zeitgeist, vendors previously only selling “public” cloud have been hard at work finding ways to market aspects of their services as “private”. Which leads us to the current situation: not every implementation of private cloud is quite as “private” as the others.
Let’s explore the different implementations of private cloud, from least to most “private” in terms of separation of, and control over, your infrastructure.
Virtual private cloud (VPC)
Remember the shutters on our public swimming pool lanes? VPC is much the same, but also: you get your own private path to and from your swim lane.
A virtual private cloud runs on public cloud infrastructure, however, in addition to the software-based access controls employed by the public cloud, the VPC is also logically separated. This means that network traffic (our reserved walkway to the pool) within a VPC does not cross into another customer’s VPC.
Much like the public cloud, tailoring VPCs to your exact requirements can be challenging, service disruptions from the provider can impact accessibility, and shared infrastructure poses potential security risks from breaches affecting other users.
Advantages of virtual private cloud
The most compelling reason to use a virtual private cloud is “we wanted to use public cloud, but software-based access controls weren’t enough to meet our security requirements.”
Creating a separate virtualized environment within the public cloud is one way to reduce the risk of exposure to other tenants sharing your public cloud infrastructure. Additionally, a logically isolated environment can (potentially) keep your data within a specific geographical region, though this is very dependent on your arrangement with your VPC provider. A VPC is also generally a little easier to audit than a public cloud given the clear boundary for data and activity within your environment.
Hosted private cloud
Also known as ‘managed private cloud’ (or, by those who sell it, just plain “private cloud”.)
Hosted private cloud providers step up the separation of resources and control from VPCs by allocating physical infrastructure, such as a dedicated server, to specific customers. Just as with public cloud, the physical infrastructure in question is still owned and maintained by a third party provider.
Advantages of hosted private cloud
Just as with public cloud, this approach offers the convenience of outsourcing infrastructure management, with the added benefit of having exclusive, dedicated physical computing power, storage, and network resources that are not shared with other users. Rather than a public pool, we’re now reserving an entire pool for ourselves, but it is maintained by someone else, and we have to visit their property to use it (yes, the pool metaphor unravels here).
While you will still be limited to the infrastructure your third party provider is willing to manage, it’s likely that there will be more customization opportunities than available to public cloud customers. And of course, you retain control over your virtual environment, including CPU cores, RAM, and storage space allocation.
To meet specific data residency requirements, you may choose to use a hosted private cloud provider in each relevant region, though this poses its own unique challenges due to the need to manage a variety of vendors and cloud infrastructure as part of your overall solution.
True private cloud
It’s what used to be marketed as “private cloud” - but with the advent of VPC and hosted private cloud services, the need for differentiation has required an additional adjective. You may also see it referred to as “on-prem” private cloud, although it does not strictly need to be physically located on your business premises (more on that in the edge computing section).
This is where we finally get to the “backyard” for our pool metaphor. Your own infrastructure, on your own turf. A 2024 Spacelift survey indicates that 84% of companies utilize at least one private cloud solution, representing, on average, 32% of their workloads.
Advantages of true private cloud
Innovation in private cloud is thriving, driven by open-source communities and enterprise solutions from leading vendors. Technologies like Kubernetes and OpenStack have democratized access to cutting-edge cloud computing capabilities, enabling organisations to implement highly innovative solutions within their private cloud environments.
Additionally, this model is ideal for businesses with stringent data sovereignty and security requirements, as it ensures your critical data and applications remain entirely within your control at all times.
However, to make the most of a true private cloud solution, you’ll need the right hardware, the right skills in-house, and the right automation technologies.
What about edge computing?
Edge computing is on track to become a $232 billion market. But is it cloud computing? Yes; and it’s implemented using methods we’ve already discussed - generally via either hosted or true private cloud.
Instead of sending data to a centralized cloud server, edge computing processes data at or near the source of data generation, such as IoT (Internet of Things) devices, sensors, or local data centres. This can be a huge advantage when latency and performance issues can make or break your business.
This offers many practical applications across a variety of industries, for example:
Sensors on heavy duty machinery can perform real-time analysis to predict equipment failures before they happen, minimizing downtime.
Large imaging files (for example, MRIs) can be processed at the edge to accelerate medical diagnoses by removing the need for high bandwidth data transfer to central systems.
A stream of live data from traffic light and intersection sensors can assist with the analysis of traffic flow data in real-time, optimizing traffic light patterns and reducing congestion.
Inventory stock levels can be automatically monitored and managed, reducing the risk of over or under-stocking.
So, which IT infrastructure approach is best?
The debate used to just be between public vs private cloud, but as you can see above, there’s a lot more to the conversation than that.
Do you even need a cloud?
“Cloud-first” approaches have been grabbing headlines and littering job advertisements lately, but if all you need is a way to run VMs, it may not be worth the cost of paying a public cloud provider for the resources required, especially if you already have some hardware on-prem. Just get hold of some reliable virtualization software that can scale up and down as-needed.
A tailored approach
When your needs go beyond virtualization, then it’s time to carefully consider your unique requirements - not just a ‘lift and shift’ of all your data and applications into the current cloud computing flavour-of-the-month. Even within the same industry, different companies have unique environments, requirements, applications and pre-existing infrastructure.
But why choose one flavour when you can have three? Enter the hybrid cloud, or multi-cloud approach, where enterprises distribute workloads across different environments based on their specific needs. Nearly 80% of companies incorporate multiple public clouds, and 60% report using more than one private cloud. And this isn’t just a work-around; the same survey indicates that 70% of IT leaders believe it is difficult to achieve a successful digital transformation without a robust hybrid cloud strategy.
Of course, while hybrid cloud environments can enable the benefits of multiple approaches to cloud simultaneously, they also can result in increased administration workload and complexity.
Finding your unique cloud strategy
So, where should your data, applications and backups live? What is the advantage of on-prem versus cloud provided by a third party when it comes to scale? Should you keep mission critical applications on the public cloud, making use of the access to additional resources for unanticipated usage spikes? Or should they run in a private cloud, tailored for best performance and customization?
Flexera’s 2024 State of the Cloud report revealed the top five challenges for cloud computing decision-makers as being:
Managing cloud spend (the top concern of 82% of respondents.)
Security ( 79% of respondents.)
A lack of resources or expertise (78% of respondents.)
Regulatory compliance(73% of respondents.)
Managing cloud software licenses (72%of respondents.)
If you’re a small business, and your most pressing requirement is the lack of your own in-house IT resources, then all you may need is the public cloud (so long as you do not need to adhere to any strict regulatory or security requirements, and can afford to navigate potential “cloud waste” and vendor lock-in, which we’ll discuss shortly).
However, if you’re searching for ways to uncover the optimal approach to cloud for your enterprise - be it fully on-prem private cloud running cloud native hardware or a hybrid mix of environments - the following sections are a guide through the key considerations for architecting an optimal cloud approach for your organisation.
Cloud cost considerations
A recent survey by Deloitte indicated that migrating to the cloud helps unlock additional revenue streams that can boost profit growth by as much as 11.2% year-over-year. However, the survey concluded that at least 60% of an organisation’s workload needs to be in the cloud to realize noteworthy financial gains. The cost of doing this is the biggest factor holding companies back from adopting multi-cloud infrastructure.
The larger the organisation, the more difficult it can be to keep track. Only 3 out of 10 organisations know exactly where their cloud computing costs are going. The problem is a multi-faceted one:
Pricing models: Cloud providers offer a wide range of services with different pricing models (including pay-as-you-go, reserved instances and spot instances). Understanding and tracking these can be challenging.
Resource sprawl: Without robust monitoring and tagging software, organisations may struggle to keep track of all deployed resources.
Lack of visibility: Many organizations do not have centralized dashboards or comprehensive monitoring tools that offer a clear view of all cloud expenditures.
Variable usage: Unplanned spikes in usage, often driven by unexpected business needs or application behaviours, can lead to unforeseen expenses.
These expenses can be particularly difficult to monitor in the public cloud, where usage records can be split across into many disparate files that are not easy to align into a single report. 31% of enterprises spend over $12 million on public cloud services every year.
It’s not just usage that incurs cost on the public cloud, however - another major issue is waste.
If you don’t use it, you’ll still pay for it
Flexera estimates that 32% of cloud budgets go to waste. That’s unused cloud storage and compute that is draining your budget without contributing to your ROI. This waste represents over $17B spent each year on unused resources. 42% of CIOs and CTOs consider cloud waste their top cloud spending challenge.
Often, waste occurs from overprovisioning and inability to scale rapidly, so if this is a problem for your organisation, prioritizing flexible deployment models (with hosted private cloud, true private cloud, and hybrid cloud) is a must.
Costs associated with private cloud
On-prem private cloud requires upfront investment for purchasing hardware, setting up data centres, and implementing the necessary infrastructure. There’s also the ongoing costs for power, cooling, physical security, and hardware replacements to consider. You may choose to outsource those costs via managed services, however these tend to come with premium pricing for the convenience and expertise provided. This may be more expensive over time compared to in-house management.
That said, if your private cloud is on-premises versus cloud hosted by third parties, these combined costs can still be more affordable than keeping everything solely in the public cloud. 451 Research found that almost half of IT decision makers surveyed were operating their own private clouds at a lower cost than equivalent public cloud server pricing. A quarter found that the premiums they paid for having a private cloud were less than 10 percent compared to those in their public cloud environments.
Waiting for ROI
Moving to a cloud computing model is intended to drive profitability for businesses, but when does that financial benefit materialize? McKinsey estimates a 180% potential return on investment, but that payback period is likely to take up to eight years, depending on your strategy.
Three strategic factors affect the potential ROI and time to realization:
Underutilisation (cloud waste).
Cloud sprawl (disparate approaches within the enterprise leading to increased complexity).
Slow adoption pace resulting in an inability to reduce fixed costs early in the transition process.
Small businesses may be able to avoid these downsides due to their simpler overall requirements, but for enterprises, these factors have a major impact.
Cloud security considerations
Cyber crime is a rapidly growing threat with a staggering cost to both organisations and individuals. Cyber crime is predicted to soon cost the world $10.5 trillion annually, and the average cost of a data security breach to date is $4.5 million. And while big targets make for the biggest news stories, small businesses are suffering too, with an average cost per cyber crime to small business coming estimated at $39,000.
When considering the mix of cloud approaches that best fits your organisation, make use of websites such as breaches.cloud to view recent incidents and who they affected. It’s important to determine what data is most valuable - and of highest risk - to your business, and seek to store and back up that data within a controlled environment.
A legacy of vulnerability
Safeguarding critical assets from external threats doesn’t end at storing them in a controlled environment, however. Keeping up with the latest security patches and upgrades is needed to minimize exposure to new and emergent vulnerabilities. This can be particularly challenging when your organisation is still reliant on legacy software that may no longer be supported or developed by their original vendors.
Shared responsibility
It’s not just the legacy systems that can offer infiltration routes into your data. Security professionals rated misconfiguration and improper setup of modern cloud applications as the most significant security threat, followed by unauthorized access, insecure interfaces, and hijacked accounts. And don’t assume that these misconfigurations can be eliminated via a third party provider - cloud providers typically operate under a shared responsibility model. Essentially, this means that while the service provider is expected to monitor and respond to security threats related to the cloud infrastructure itself, the customer is responsible for protecting data and software within the cloud environment.
Diluting the risk
Diversification isn’t just a sound strategy when it comes to financial interests. CIOs, CTOs, and other tech leaders have expressed concerns about relying on a single vendor's security protocols, believing that their data is more secure when distributed across multiple cloud providers. Over half indicated a preference for using the distinct technological advantages offered by different cloud providers. This multi-cloud strategy not only enhances security through diversification but also allows organisations to use the best features and services from each provider, optimizing their overall cloud infrastructure.
Can sensitive data be stored in a shared data centre?
Physical breaches or shared vulnerabilities within the cloud service provider’s data centre could potentially affect your environment. The decision to make here comes down to these two factors:
Who you are willing to trust (and in terms of regulatory requirements for security standards, who are you allowed to trust). The security and privacy of your data is heavily reliant on your service provider’s practices and policies. Any lapses in their security measures can directly affect your organisation’s data integrity.
What the impact to your operations, reputation and finances should a breach occur. The higher the impact, the more control and confidence in your solution is needed.
This is again an area where hybrid cloud solutions shine - so long as you have the insight and tools needed to ensure data and workloads can be distributed to different cloud platforms based on the level of security required.
Compliance and data sovereignty considerations
Increasingly, countries are seeking control over data generated by their citizens or within their borders. As things stand today, businesses that operate globally may need to comply with a patchwork of data sovereignty regulations across many different countries. This can be expensive and time-consuming, requiring legal and technical expertise to navigate the complexities of each jurisdiction.
This is where an on-prem private cloud solution (and private sovereign cloud edge deployments) can greatly reduce the amount of red tape.
Enter the sovereign cloud
While there aren't widely published statistics on the exact number of enterprises opting for private clouds in order to ensure regulatory compliance issues such as PCI, HIPAA and GDPR are properly addressed, the interest in sovereign clouds - cloud solutions designed to keep data within specific geographic and legal boundaries - is experiencing significant growth, particularly in regions with strong data privacy regulations like Europe.
Private sovereign clouds can ensure that sensitive data is stored, processed, and transmitted in a compliant manner, and prevent third-party cloud hosting providers from accessing your data.
Performance and reliability considerations
The average cost of downtime is estimated to be around $5,600 per minute, though of course there’s a wide range of actual values depending on the size of your organisation and the industry you operate within. It also doesn’t factor in legal fees, fines, or penalties. Either way, ensuring an appropriate level of uptime protects not just your bottom line, but your reputation with customers as well.
Reliability in the public cloud
When it comes to the public cloud, IT research firms such as Gartner, Forrester or Uptime Institute can be excellent points of reference for what to expect from the major providers. You can also review the status pages of major cloud providers for details of ongoing outages or service disruptions. For example:
When evaluating public cloud providers for their reliability, review their SLAs (Service Level Agreements). These agreements outline service uptime guarantees and compensation offered in case of downtime. While SLAs typically don't differentiate between specific services like email, they do provide a general benchmark for a provider's reliability.
Reliability in the private cloud
For hosted and on-prem private clouds, your experienced uptime will depend on:
the quality and redundancy of the hardware in your cloud infrastructure, including network,
whether you have architected your infrastructure for high availability (HA),
the distribution of workloads across nodes (load balancing),
the robustness of your disaster recovery and backup plans,
network capacity and ability to avoid bottlenecks,
balancing storage with compute,
uninterrupted access to power,
security of your solution to defend against cyber attacks, and
capacity to monitor and respond to potential infrastructure issues.
Never just have one set of backups
Architecting to avoid single points of failure within your cloud infrastructure doesn’t just end at the hardware. It goes for your backups too.
The public cloud can be a useful destination for data backups in specific circumstances. Pay-as-you-go pricing models help reduce costs by only charging for the cloud storage used, avoiding the need for large upfront investments in physical hardware. Public cloud services offer virtually unlimited storage capacity, allowing organisations to easily scale their backup storage as their data grows, and Backups stored in the cloud can be accessed from anywhere with an internet connection, facilitating remote work and data recovery.
However, storing backups solely in the public cloud, particularly business critical data, is not an ideal position to be in, as illustrated by the case of UniSuper. This $135 billion pension fund experienced a catastrophic data loss when Google Cloud accidentally deleted their entire account, leading to nearly two weeks of service disruption. Fortunately, they also maintained their own separate backups, but these took some time to bring online, leading to the service issues. Such incidents underscore the risks associated with relying solely on public cloud providers for critical data. Issues like provider errors, system failures, and delays in recovery can severely impact business continuity and data integrity, highlighting the importance of having diversified backup strategies.
Which clouds perform better?
Reliability and performance are closely linked, with features like network latency, data transfer rates and provisioning time all being strongly interlinked with the resilience of your cloud computing platform.
The geographic dispersion of data centres operated by public cloud providers can offer significant benefits for availability and redundancy. Though in some cases, even dedicated cloud resources within a shared environment (such as hosted private cloud) can experience performance variability due to broader infrastructure demands or network congestion within the provider’s data centre.
When it comes to workloads that require high performance compute, network and storage, the answer is, you get what you pay for, whether that is in the public cloud or the private cloud. The tricky balance is to balance what you rent (in the public cloud) or buy (on-prem) to avoid generating ‘cloud waste’ whether in unused owned hardware or usage quotas.
Scalability and flexibility considerations
Two thirds of businesses report constantly changing IT requirements. These changing needs can be the result of fluctuating peaks in demand from customers, business growth, shifting industry conditions and digital transformation initiatives. Scalable and adaptable infrastructure, whether delivered by a third party or in-house, is essential for economically and strategically managing these fluctuations.
Planning for future migrations
When assessing a cloud solution, consider the likelihood that you may need to engage in a cloud migration later on, and how difficult it will be to migrate your data out. Migrating some or all of your data between cloud solutions enables your organisation to take advantage of better pricing, improved performance, or new features offered by different providers. It can also be necessary to address changing business requirements, mergers, or regulatory changes.
Not all cloud providers make it easy to migrate data out, which can lead to vendor lock-in and complicate future transitions.
Planning for adaptable scale
A significant appeal of traditional public cloud services is their ability to scale computing power, storage, and bandwidth up or down on-demand. This is usually handled with a pay-as-you-go model, where ideally, businesses avoid paying for idle infrastructure during periods of low demand. Rapid provisioning allows organisations to quickly adapt their IT infrastructure to support new projects or traffic surges without delays.
Historically, private cloud has been seen as suffering from far more barriers to scale by comparison, as it requires additional investment in hardware and space. Internal IT teams have also not always possessed the skills needed to efficiently manage and provision resources to handle peak loads and underutilized periods.
Integration and interoperability considerations
A cohesive, efficient, and scalable environment requires planning for interoperability and integration, particularly in multi-cloud scenarios. This can enable flexibly switching between cloud providers, or leveraging different services for different workloads. Cloud integration is essential for minimizing data silos, uniting and synchronizing applications, simplifying automation processes, improving data quality and preparing your data for analytics, machine learning and generative AI.
Recently, the US Cloud Business Survey noted that a lack of integration with existing systems is a significant contributor to governance issues. And where there are governance issues, there are increased risks of data breaches, compliance violations, and operational inefficiencies.
A variety of cloud integration tools are on the market today, with more springing up all the time. But the best approach of all is to minimize the need for reliance on these tools in the first place, through a streamlined, fully integrated solution.
Make your cloud infrastructure work for your organisation
By considering your specific requirements for the categories above, you will be able to determine a well-thought-out cloud strategy.
Note: this article was originally written for a publication which ceased to exist before this article was accepted. So, I've re-purposed it as a blog post here.