The debate between public (cloud infrastructure provided to general public) and private (cloud infrastructure operated for particular customer) shows no signs of relenting. Conventional wisdom suggests that a private cloud may be more secure due to a higher level of control and visibility.

However, the problem is that an apples-to-apples comparison is virtually impossible. Public cloud providers will rarely disclose their specific security practices and architectures, which may be viewed as proprietary and thus a source of competitive advantage. They also typically won’t shed any light on how well their security measures are implemented. In contrast, during the course of negotiations, private providers may be more likely to not reveal their practices but also to negotiate in certain protective provisions (as discussed below). Put otherwise, the public cloud service may be as secure, if not more secure, than the equivalent private cloud service, but there isn’t an effective way to confirm one way or the other.

Too make matter worse, virtually all public cloud services agreements will expressly disclaim liability for any security breach, regardless of how (or by whom) it was caused. Even if the public and private cloud services are equally secure (or insecure), there are simply no assurances when it comes to the public cloud provider other than a vague obligation to implement reasonable security measures.

As intimated above, public cloud services agreements are largely non-negotiable. If there is a security breach, the only real damage done is to the cloud vendor’s reputation. However, due in large part to social media there is a certain transparency to public cloud services and security breaches that you may be hard-pressed to find in private cloud services.  Unfortunately, customers often learn about the security breach of a public cloud service on a website unaffiliated with the vendor.

So are private cloud services any more secure? No studies have been conducted (to the best of my knowledge), but to date, the public versus private debate has been generally evenly matched I suspect that, at least in terms of visibility, one or two major public cloud security breaches in 2012 will shift the balance.

Whether the customer chooses a private or public cloud service, security is of the utmost importance. Regardless of whether the cloud vendor (private or public) was responsible for a breach, the cloud customer is ultimately responsible for the security of their customers’ data that has been entrusted to the cloud provider. Visibility (into the cloud services provider’s security practices) is an important variable; under various state laws, if you own or license personal information about a resident, you are required to uphold certain security standards. If you disclose that information to a vendor (unaffiliated third party under a contract), you may be required to mandate that the vendor does the same.

Thus, if the customer lacks visibility, it is virtually impossible to assess whether or not reasonable security measures have in fact been implemented When choosing a cloud provider, the customer should look into the company’s security practices (measures, detection systems, etc.), and history of security incidents as well as their causes.

Information security has been and continues to be very much on the radars of various federal regulators, including the Federal Trade Commission and Securities and Exchange Commission. The FTC has regularly lodged complaints against companies handling sensitive consumer information, based at least in part on the failure to implement “reasonable and appropriate security measures.” Other regulations include the Gramm-Leach Bliley Act Safeguards Rule, which the FTC requires financial institutions to develop a written information security plan to protect customer information. While not expressly applicable to cloud services, the SEC Division of Corporation Finance provides guidance that registrant should disclose the risk of cyber incidents in certain circumstances.

In addition, the guidance  states, “In evaluating whether risk factor disclosure should be provided, registrants should also consider the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.” The lack of visibility within public cloud services would make the disclosure difficult; however, this disclosure could allay the fears of current and potential investors.

Private cloud services offer a negotiated cloud services agreement, mandating effective multifactor authentication, Internet firewalls, strong encryption, key management, physical (as opposed to logical) separation of data, intrusion detection systems, antivirus software, a remediation plan (in case of breach), audit rights and cybersecurity insurance, with the customer to be named as an additional insured. Futhermore, substantial financial disincentives are offered if the breach is due to an act or omission of the cloud vendor.  We expect push back from a private cloud vendor because best-in-class security protocols are costly endeavors. A public cloud services provider may agree to some of the above elements, but it is less likely.

In the end, if you have the resources and you operate in a highly regulated industry (such as financial services or health care) and/or you have personal information or other sensitive data, you will probably opt for the traditional solution, a private cloud. If public cloud services want to compete with the private sector, disclosure is key. Without knowing what’s under the hood, a customer can only reasonably expect that the security measures are not adequate.

John Pavolotsky focuses on technology transactions and other intellectual property matters at the Greenberg Traurig law firm.

This article previously appeared in Information Management, a sister publication of Health Data Management.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access