Hybrid clouds provide organizations with the option of hosting some workloads in the public cloud, and others in an on-premises private cloud. A hybrid cloud model provides multiple advantages, allowing an organization to choose the best location for a specific workload, rather than being in a position where workloads can only be hosted in one location or another. What determines the best location isn’t always a simple technical argument, and factors such as regulatory compliance can override arguments about efficiency and economy.
Perhaps the most important determinant of whether a workload should be run on-premises in a private cloud or in the public cloud is the degree of regulatory or compliance issues around the workload. Regulation has become an increasingly important factor in IT decision making as IT has matured.
There can be a bewildering array of rules about where information can be stored and how it should be stored, depending on the properties involved. The storage of financial, personal, and medical information is all subject to a variety of rules, many of which were legislated before the public cloud was more than a hypothetical technical challenge. These rules often also vary from jurisdiction to jurisdiction, making it difficult for organizations to be compliant when faced with a “one size fits all” solution.
For example, certain types of sensitive data must be stored in an encrypted manner. The rules around this type of data often specify that the cryptographic keys required to encrypt and decrypt this sensitive data must be stored in a specific way, such as in a Hardware Security Module. A Hardware Security Module (HSM) is a special “lock box” specifically designed to store cryptographic information. Meeting compliance requirements around issues such as the storage of encryption keys is simpler when an organization controls all the on-premises hardware. That’s because an auditor can make a straightforward determination as to whether or not the current implementation meets regulatory requirements. The auditor can drill down and determine whether the implementation meets compliance requirements or if it does not.
Meeting compliance obligations can become more challenging when the workload is hosted in the cloud simply because the hardware and environment are under control of another organization. While public cloud vendors are being accredited to meet specific regulatory standards, the legislators creating the standards aren’t necessarily able to keep up with the rapid pace of technological change that is par for the course when it comes to public cloud provider offering. While a public cloud vendor may have all the necessary accreditations for most businesses, it might not have achieved a specific accreditation required for hosting the workloads of businesses that have unusual requirements.
Beyond compliance, another important determinant of whether a workload should be run in the private or public cloud in a hybrid deployment is whether or not the workload is supported so that it can be hosted in a public cloud environment.
Many organizations still need to run workloads that are well past their used-by date and which can’t be directly migrated to the public cloud for a number of reasons. For example, the workload might involve a legacy application that only runs on a specific version of an operating system, an operating system that simply is not supported by any public cloud vendor. Until those workloads can be retired, the organizations will need to keep a functioning, on-premises, private cloud deployment.
Whether a public, private, or hybrid cloud model suits an organization depends very much on the characteristics of the workloads the organization needs running for its day-to-day business – something every decision maker needs to be cognizant of.
This content is sponsored by Microsoft.
Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center, Security, and Infrastructure Group, creates courseware for PluralSight, and writes the Hyperbole, Embellishment, and System Administration Blog.
