Security and compliance must be considered to determine whether an application or workload belongs in the public cloud vs. on premises. A workload might be tied to certain legal and regulatory requirements -- for example, a healthcare company's data must comply with the Health Insurance Portability and Accountability Act, and a financial services company is required to comply with strict regulations.
"In a global company, there are a lot of restrictions in terms of where data needs to live. If you're working in Europe, the EU has strict and well-defined rules about this," said Matthew Eastwood, an analyst at IDC. IT teams should attend seminars and coordinate with an internal legal team to understand their organization's specific legal and regulatory requirements, he said.
Legal and regulatory requirements aside, if the workload involves sensitive customer data, it might be safer to keep that on premises, said Jeffrey Fidacaro, an analyst at 451 Research. Moving sensitive consumer data to the cloud requires a deep evaluation of a cloud provider's service-level agreement, as there are many contract nuances that could cause complications. Not everyone will find that an on-premises setup is inherently safer than cloud. Pier-Luc Baillargeon, cloud operations coordinator at a financial services company, has some workloads sitting on premises for regulatory requirements but is open to move those workloads off premises if his company's security teams recommend that option.
"Maybe it's a cultural thing where people aren't really ready yet to say that the off-premises setup is as reliable as the internal one, so that's just a matter of going on a step-by-step basis," he said.
Others contend that the perceived risk of moving sensitive data to the cloud is just a lack of understanding how to secure a workload in the cloud, rather than a fundamental flaw in the platform itself.
"If you look at the offerings of the major cloud providers … you have the ability, for example, to provide tight network and security controls. You have the ability to encrypt data while it's being stored," said Scott Lowe, an engineering architect at VMware. "So, there's a roughly equivalent level of security within the public cloud, when done correctly."