Public, Private, Hybrid? Which Cloud is Right for your Agency?

Should your agency move data or applications to the private or public cloud? But those aren’t the only options. Other choices include a community cloud, a multi-tenant infrastructure that is shared among several organizations from a specific group with common computing concerns. Then there’s the hybrid cloud which composes two or more of the above (private, public or community).

In our free Cloud for Govies eBook, we suggest that choosing public over private (or any combination thereof) really comes down to risk management and is very dependent on your specific workload, your use case, and your security profile.

DISA’s CIO, David Bennett agrees. “You have to understand the risk and the data you’re dealing with,” said Bennett at a recent Nextgov event. “As you look at those things, you have to ask questions like, ‘What controls do I have in place?’ We want to leverage commercial opportunities and reap the benefits of doing that, but we also want to verify and make certain what’s out there and that we’re able to understand and monitor that.”

Below are a few pointers from that can help you determine which infrastructure-as-a-service cloud is right for your agency – public, private, hybrid, or community clouds?


Public Cloud


  • No purchase of physical infrastructure
  • Pay for what is used. Turn the service off when done
  • Immediate self-service (no need to build infrastructure)
  • Maximum elasticity


  • Low visibility and control (vs. private)
  • Requires greater “trust” (with verification)
  • Multi-tenant (from a security perspective)
  • Large data requirements


Private Cloud


  • Maximum control and visibility
  • Adheres to existing security framework
  • Easiest fit from a governance and policy perspective (as it will closely mirror existing)
  • Enables charge-back of metered usage to users’ cost centers, thus ensuring better resource cost awareness


  • Highest cost. Must purchase and integrate hardware and software
  • Must attain high utilization for maximum Return on Assets
  • Requires new IT skills to manage the cloud infrastructure
  • Minimal elasticity


Community Cloud


  • Caters to specific industry and compliance (i.e. FISMA, HIPAA, PCI-DSS compliance)
  • No purchase of physical infrastructure
  • Pay for what is used Turn the service off when done
  • Still relatively lower cost when compared to private for most services
  • Moderate to maximum elasticity


  • Low visibility and control*
  • Requires greater “trust” (with verification)*
  • Typically higher cost than public due to specialization in support of specific customer requirements

* Since community clouds are targeting a specific industry, they can typically react more efficiently when responding to requests relating to compliance or for A&A.


Hybrid Cloud


  • Maximum flexibility
  • Dedicated resources on-site (via private cloud)
  • Pay-per-use resources off-site (via public or community cloud)
  • Off-site resources are pay for what is used. Turn the service off when done
  • Elasticity when needed
  • Immediate self-service


  • Most of the cons for both private and public clouds (for their respective components)
  • Additional layer of software is needed to provide governance and brokerage between the cloud services
  • Policy must be defined indicating which services and datasets are allowed in which part of the cloud
  • The broker / governance component is an additional software component requiring additional IT skills to operate and manage

Related Blogs