{"id":26001,"date":"2023-05-24T11:38:21","date_gmt":"2023-05-24T10:38:21","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/public-and-private-cloud-costs-and-risks\/26001\/"},"modified":"2023-05-24T11:38:21","modified_gmt":"2023-05-24T10:38:21","slug":"public-and-private-cloud-costs-and-risks","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/public-and-private-cloud-costs-and-risks\/26001\/","title":{"rendered":"Brief cheat-sheet on cloud types and their risks"},"content":{"rendered":"<p>The benefits to be had from cloud technologies are promoted to any and every business these days \u2014 from bakeries to banks. Meanwhile, computer clouds have progressed through several evolution steps already, and the generic term <em>cloud<\/em> now describes a number of essentially different approaches. Therefore, it makes sense to figure out specifically which cloud technology your company needs, what the cost should be, and what security measures need to be in place.<\/p>\n<h2>Cloud benefits<\/h2>\n<p>In the general sense, cloud technologies imply the use of certain computer resources (data storage capacity, computing power, or a specific app) distributed from a remote server via the internet. You\u2019re using cloud solutions when editing a document in Google Docs, launching a site on a virtual hosting platform, or sending an e-mail through Microsoft 365. Clouds have the following main advantages:<\/p>\n<ul>\n<li>Speedy launch of apps and services: you can begin using cloud services almost instantly without procuring any servers or installing any apps.<\/li>\n<li>Financial flexibility: you pay only for the services you use, without any capital investment whatsoever.<\/li>\n<li>Easy scalability: you can increase server capacity in a matter of minutes, or roll it back to the previous performance and price levels just as easily when no longer needed.<\/li>\n<\/ul>\n<h2>Cloud types: private, public, and hybrid<\/h2>\n<p>The <strong>public cloud<\/strong> concept implies that the computing capacities are owned by a commercial provider, which sells them piecemeal to anyone who wants them. If the company wants to have high-performance computing resources and bulletproof availability, or follows strict data-processing environment requirements, it may procure the necessary infrastructure for its sole use. This is called a <strong>private cloud<\/strong>. Servers can reside within the organization\u2019s perimeter (<strong>on premises<\/strong>) for greater security, or be leased from a commercial data processing center (<strong>hosted private cloud<\/strong>). <strong>Hybrid clouds<\/strong> combine the two approaches, keeping data and services either in the public or private part of the cloud depending on their importance.<\/p>\n<h2>SaaS, IaaS, and assorted other aaS<\/h2>\n<p>All abbreviations ending in <strong><em>aaS<\/em><\/strong> denote things provided <em>as a service<\/em>. The most popular one, <strong>SaaS<\/strong>, stands for <em>software as a service<\/em>. All the popular application services \u2014 including Microsoft 365, Dropbox, Slack, Zoom, and Salesforce \u2014 are <strong>SaaS<\/strong>. The user pays for a particular solution without paying any attention to what servers and apps are behind it or where it resides. <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Cloud_database\" target=\"_blank\" rel=\"nofollow noopener\">DBaaS<\/a><\/strong>, <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Platform_as_a_service\" target=\"_blank\" rel=\"nofollow noopener\">PaaS<\/a><\/strong> and <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Function_as_a_service\" target=\"_blank\" rel=\"nofollow noopener\">FaaS<\/a><\/strong>, which are commonly used in software development, work the same way: these services, via the cloud, provide <em><u>d<\/u>ata<u>b<\/u>ases<\/em>, <em><u>p<\/u>latforms,<\/em> and <em><u>f<\/u>unctions<\/em> for new apps, respectively. But those are beyond the scope of this blogpost.<\/p>\n<p>At the other end of the complexity scale, there\u2019s <strong><a href=\"https:\/\/en.wikipedia.org\/wiki\/Infrastructure_as_a_service\" target=\"_blank\" rel=\"nofollow noopener\">IaaS<\/a><\/strong> \u2014 <em>infrastructure as a service<\/em>. In this case, the cloud provider supplies virtual servers or containers in which clients run server applications by themselves. Clients can change server count and capacity in just a few clicks, but they also need to employ their own configuration and maintenance professionals to make the whole thing work.<\/p>\n<p>For those preferring to have their own servers, but unwilling to build a data processing center, there\u2019s <strong>DCaaS<\/strong> \u2014 <em>data center as a service<\/em>. The provider supplies the spaces, cooling and the rest of the engineering infrastructure, but the physical computers belong to the client organization.<\/p>\n<p>SaaS services always operate in a public cloud, whereas IaaS may be public, private, or hybrid.<\/p>\n<h2>Cloud solution costs<\/h2>\n<p>Although many cloud deployments require very limited initial investments, one should pay close attention to calculating the total cost of ownership (TCO) and its growth as the workload increases. Costs to consider include the cloud provider\u2019s services, equipment for on-premises solutions, salaries of IT administrators and developers, and licenses for related apps and services. Public clouds usually provide an inexpensive and quick way to deploy small solutions, but <a href=\"https:\/\/openmetal.io\/resources\/blog\/public-cloud-vs-private-cloud-cost-tipping-points\/\" target=\"_blank\" rel=\"nofollow noopener\">private or hybrid clouds will be increasingly attractive as grow in size<\/a> as a company.<\/p>\n<h2>Cloud solution risks<\/h2>\n<p>Cloud providers tend to advertise security as one their key advantages, but security is far from being an inherent property of the cloud. Moreover, cloud solutions bring new types of risks.<\/p>\n<p><strong>The main risk: lack of both awareness and vigilance.<\/strong> Users \u2014 even IT administrators for that matter \u2014 believe that their cloud system is \u201cautomatically\u201d protected, with everything taken care of by the cloud provider; therefore, they hardly even consider security. But in reality the cloud provider is unable to solve some issues, so these <a href=\"https:\/\/www.kaspersky.com\/blog\/aws-integration-reinvent\/20271\/\" target=\"_blank\" rel=\"noopener nofollow\">need to be addressed by the client organization<\/a>. Here is a list of main cloud service risks:<\/p>\n<ul>\n<li>Every SaaS\/IaaS solution features dozens \u2014 sometimes even hundreds or thousands \u2014 of adjustable settings, making it easy for the administrator to make mistakes, for example, by <a href=\"https:\/\/www.kaspersky.com\/blog\/power-apps-exposure\/41523\/\" target=\"_blank\" rel=\"noopener nofollow\">leaving an important database exposed to the internet<\/a>, or by failing to block access to privileged functions. Cloud solutions from different providers have different \u2014 and not wholly compatible \u2014 configuration settings, so even competent administrators may find it hard to ensure the integrity of security policies. The misconfiguration problem has been accountable for most of the high-profile data leaks in recent years. This problem is relevant for <strong>SaaS<\/strong>; acutely so for <strong>IaaS<\/strong>\/<strong>DCaaS<\/strong>.<\/li>\n<li><strong>Leakage of account details.<\/strong> Gaining access to information in a cloud is easy \u2014 but this advantage turns into a disadvantage as soon as your employee\u2019s password ends up in the hands of threat actors. They can get hold of account data using phishing, or by bruteforcing a weak password, or by using a data leak from a third-party service and giving the leaked passwords a try with the users\u2019 corporate accounts. This problem is relevant for all cloud types.<\/li>\n<li><strong>Legal issues.<\/strong> In cloud environments, it\u2019s more difficult to comply with legal data storage requirements; for example, not to send clients\u2019 personal data abroad or to have particular safety measures in place at data centers. In some cases, it\u2019s not clear at all in which country the data is stored.<\/li>\n<li><strong>Insufficient monitoring<\/strong>. Organizations often find that the cybersecurity, access control, and data-leak prevention tools they use across their office networks don\u2019t work in cloud environments. As a result, cloud systems\u2019 events (including logging in and downloading large volumes of data) <a href=\"https:\/\/devops.com\/cloud-visibility-remains-a-top-challenge-for-many-organizations\/\" target=\"_blank\" rel=\"nofollow noopener\">may go unnoticed for weeks or even months<\/a>. And the problem is relevant for all cloud types.<\/li>\n<li><strong>Accidental data leaks<\/strong>. <a href=\"https:\/\/www.kaspersky.com\/blog\/collaboration-solutions\/35740\/\" target=\"_blank\" rel=\"noopener nofollow\">Careless use of the \u201cshare\u201d function<\/a> can make internal information accessible to outsiders.<\/li>\n<li><strong>Vulnerabilities<\/strong>. Server apps are often found to contain vulnerabilities, and <a href=\"https:\/\/www.kaspersky.com\/blog\/vulnerabilities-in-public-clouds\/28905\/\" target=\"_blank\" rel=\"noopener nofollow\">attackers find it convenient to exploit them in cloud environments<\/a>. Firstly, cloud solutions can be accessed via the internet, and secondly, they\u2019re often all configured in the same way \u2014 making it easy to replicate a successful attack against new victims. In <strong>SaaS<\/strong>, all vulnerabilities must be patched by the provider, with few or no options left for the user. In <strong>IaaS<\/strong>, the client\u2019s IT service deals with most of the issues, and they must be really quick about it.<\/li>\n<\/ul>\n<h2>The correct cloud strategy<\/h2>\n<p>Choice of the most appropriate strategy varies greatly depending on your organization\u2019s size, IT maturity, and objectives. The strategy must take into account whether the IT system was created from scratch or migrated from a cloudless system, what scale of operations needs to be ensured from day one, how to accommodate the regulators\u2019 requirements, and so on. Don\u2019t forget to plan out your security measures early on in the project and to use <a href=\"https:\/\/www.kaspersky.co.uk\/enterprise-security\/cloud-security?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">specialized security systems for cloud environments<\/a>.<\/p>\n<p>Here\u2019s a brief summary table to help you estimate the costs, complexity and risks:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"215\">\u00a0<\/td>\n<td width=\"51\"><strong>SaaS <\/strong><\/td>\n<td width=\"55\"><strong>IaaS<\/strong><\/td>\n<td width=\"38\"><strong>DCaaS<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Deployment costs<\/td>\n<td width=\"51\">+<\/td>\n<td width=\"55\">++<\/td>\n<td width=\"38\">++++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Scaling speed<\/td>\n<td width=\"51\">++++<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">IT\/information security support costs<\/td>\n<td width=\"51\">+<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">++++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Costs in case of a major surge in volumes\/usage<\/td>\n<td width=\"51\">+++++<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Support complexity for IT specialists<\/td>\n<td width=\"51\">+<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">++++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Support complexity for information security specialists<\/td>\n<td width=\"51\">++<\/td>\n<td width=\"55\">++++<\/td>\n<td width=\"38\">+++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Information security risk level<\/td>\n<td width=\"51\">++<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">+++<\/td>\n<\/tr>\n<tr>\n<td width=\"215\">Information security incident investigation and correction complexity<\/td>\n<td width=\"51\">++++<\/td>\n<td width=\"55\">+++<\/td>\n<td width=\"38\">++<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"37702\">\n","protected":false},"excerpt":{"rendered":"<p>\u0421loud technologies differ in terms of both costs and risks. What cloud type should you choose, and how should you begin your migration?<\/p>\n","protected":false},"author":2722,"featured_media":26002,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360],"tags":[109,1069,1189,3645,1045,2502,529],"class_list":{"0":"post-26001","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-apps","10":"tag-clouds","11":"tag-development","12":"tag-economy","13":"tag-risks","14":"tag-saas","15":"tag-threats"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/public-and-private-cloud-costs-and-risks\/26001\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/public-and-private-cloud-costs-and-risks\/25701\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/public-and-private-cloud-costs-and-risks\/21121\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/public-and-private-cloud-costs-and-risks\/28356\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/public-and-private-cloud-costs-and-risks\/35350\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/public-and-private-cloud-costs-and-risks\/48261\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/public-and-private-cloud-costs-and-risks\/26311\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/public-and-private-cloud-costs-and-risks\/32011\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/public-and-private-cloud-costs-and-risks\/31697\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/clouds\/","name":"clouds"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=26001"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/26001\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/26002"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=26001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=26001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=26001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}