In 2006, Clive Humby, a British mathematician and entrepreneur, famously coined the term that data is the new oil. Today, that statement continues to hold true. However, not all data has equal value. If general data is the new oil, then digital identities are gold nuggets. Just like physical gold bars, digital identities should be stored and processed with utmost care and attention to detail.
Sadly, this hasn’t always been the case. When Ubisecure was founded over two decades ago, security and privacy online was still in its infancy – often an after thought that was managed reactively. The existing European privacy legislation at that time was from 1995 – a time when Internet access was a luxury, not a commodity if not a necessity.
Much has changed over the last two decades. We have witnessed the explosive growth of online services from both the public and private sector, and slowly but surely it has been recognised how central part digital identities play in digitalised ecosystems. Two major changes have been the adoption of the GDPR (General Data Protection Regulation) in 2016, and the massive expansion and adaption of cloud-based platforms.
The GDPR brought into limelight the value of digital identities, and cloud-based platforms have enabled trialling and scaling new online services easier than ever.
Lately, there has been considerable interesting in one specific subtype of cloud platforms – the hybrid cloud. A hybrid cloud approach is indeed an agile way to make quick adaptations to your digital business, but it is not without its considerations. Before we explore the benefits and caveats of a hybrid cloud approach, let’s take a high-level look at the three major cloud models.
Types of cloud
The most common cloud computing deployment is a public cloud. In a public cloud, the virtualised resources (the compute servers and data storage) are owned and operated by a third-party cloud service provider. They are delivered over the Internet, and are readily available to the general public. All hardware and other supporting infrastructure are owned and managed by the cloud provider. Typically, there are no charges on a per-user basis and other costs follow a non-linear trend tier by tier, with the higher tiers being progressively less economical.
The next one is the private cloud. Unlike a public cloud, the virtualised computing resources and data storage in its infrastructure are dedicated to a single organisation. The daily management and operation services are performed by the organisation itself or a third-party cloud service provider. A private cloud may itself consist of a mixture of both self-managed and third-party maintained infrastructure, depending upon the organisation’s requirements. Private clouds are mostly used for processing confidential internal data, for very high loads where public clouds lose some of their cost advantages, and/or due to regulatory concerns.
More rarely encountered is the community cloud, in which multiple communities who process similar data with common concerns share the computing resources placed in a single cloud with shared data services. For example, several research institutes could have (virtualised) HPC (High-Performance Computing) clusters operating as a community cloud service.
Now that we have gone through the three major types of cloud platforms, we can take a closer look at hybrid clouds. The hybrid cloud is the combination of an on-premises data storage (or a private/community cloud) with a public cloud or even several public clouds. Often a hybrid cloud model is chosen to balance the safety and security of data with scalability, the ease of maintenance and possibly even a lower total cost of ownership in case of traffic.
When computing and processing demand increases beyond an on-premises datacentre’s capabilities. Organisations can use a public cloud or several clouds to instantly scale capacity up or down to handle fluctuating demand. This is called “cloud bursting”. When demand spikes, additional computing resources can be quickly provisioned from a public cloud, while the private infrastructure handles the base load. A good example would be a retailer handling Black Friday or Christmas sales peaks by provisioning additional capacity from a public cloud, as it is not cost-efficient to size local datacentres according to peak loads. Offloading some of the work to a public cloud allows them to avoid the time and cost of purchasing, installing, and maintaining new servers that are needed for only short periods of time.
Another very important advantage of a hybrid cloud approach is having strict control over the data – where it is stored and processed and by whom. In this kind of hybrid cloud architecture, organisations gain some of the scalability, flexibility and cost advantages of a public cloud for less regulated computing tasks, while still meeting their industry requirements for data protection and data residency.
For example, governmental and financial institutions typically have very strict rules on data residency. Logically, one might therefore ask why not go all way to a pure on-premises data centre solution then? After all, a third party that does not have access to your data can’t possibly lose, steal or leak it. Sometimes this indeed is the only reasonable option, but then the cost-efficacy advantages are lost.
Even for industries that work with highly sensitive data, such as banking, finance, government, and healthcare, a hybrid solution may well be their best option. For example, some regulated industries require certain types of data to be stored on-premises while allowing less sensitive data to be stored on the cloud.
How to choose
Choosing where to draw the line can be relatively straight-forward if clear legislation is already in effect, but in many cases, there are no rules set in stone. Balancing security and privacy with cost and flexibility is an ancient dilemma, and it continues to be very current topic as nation-state actors continue weaponizing cybersecurity.
In network diagrams, ‘the cloud’ is often represented as an icon of a fluffy cloud, floating somewhere outside the home organisation. However, if your data does not reside in your own servers, then it does not reside high up in the sky, but on somebody else’s server, possibly in another country or even continent. That another country has its own laws and regulations, and if not carefully designed and managed properly, storing or processing data blindly in another country could have drastic consequences.
Every organisation doing business within the European Union should be especially certain to have done their due diligence, as consistently providing ‘privacy by default’ is not a recommendation, but a legal requirement. This in turn necessitates that security and privacy should always be included by design, not bolted-on at the last minute. Homebrew solutions often have challenges in maintaining the code in long run, for example in keeping up to date with the constantly evolving regulatory environment. Embracing hybrid cloud can be an opportunity to outsource a part of these requirements to competent third parties, enabling your own staff to concentrate on your core business needs instead of playing catch-up with Brussels.
Stay tuned for part two, where we will take a deep dive on how another hot topic of today, data residency, affects hybrid cloud deployments after the Schrems II decision and the new EU-U.S. data privacy framework.
Contact us to learn more about hybrid cloud IAM solutions.