Jouni Heikniemi
Aug 23, 2017 · 2 min read

Thanks! This is good stuff, and definitely something I’ll consider addressing in the follow-up. The key point you’re bringing up is the fact that cloud application patterns require trust in the cloud vendor, and not all — apparently you included — have it.

I can see why maintaining fine-grained control can be important, and there are some rather pressing legislative concerns driving in this direction. For example, you cannot store PII of Russian citizens outside Russia. That forces you to have a very explicit, very controlled geo-failover/replication policy. If your cloud vendor doesn’t have a Russian footprint, well, you’re out of luck. So sure, control can be one key driver for a private DC, although I’d argue that most of the externally demanded control requirements can be satisfied on a well-designed public cloud platform as well. But going further, how hard is your private cloud vendor working to minimize their staff’s ability to interfere (or even look into) your systems?

Security? That’s a tougher argument. I have yet to see a (mainstream) DC operator that would have even a fraction of the security analysis resources of the big cloud companies (GCP, AWS, Azure). For example, Microsoft can leverage the security telemetry of Windows installations around the globe, identifying e.g. botnet topologies and blocking them proactively. They have the data, they have the machines to crunch AI algorithms on it, and they have the software-defined datacenter infrastructure to act on it, automatically.

How about the hardware itself? If your threat matrix focuses on state-sponsored cyberattacks, should you be worried about your DC having its servers installed with a Chinese spyware burned right on the, say, storage controller chipset? Or do you build your own chips and burn their firmware like the big cloud vendors do?

I’m not trying to make the case for “public cloud is the most secure” or to convert you in any way. My point is simply the fact that both security and control are reaaally multi-faceted beasts, and the big public clouds have their benefits. I would argue that judging the security/control merits of different capacity providers requires case-by-case analysis and deep knowledge of the platform threats that plague each alternative.

)
    Jouni Heikniemi

    Written by

    Consultant/CEO at Offbeat Solutions. Software developer, entrepreneur, Microsoft Regional Director.