White paper

Secure remote services

Public cloud vs. private cloud (on-premise)

Find out more about

 Key differences
 Advantages for your company
 Risks in setup and operation
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

Introduction

The rise of public cloud solutions is causing Essentially, the main difference between cloud
many vendors of remote service solutions to and on-premise software is where it is installed.
shift their focus from on-premise solutions On-premise software is installed locally, on your
to cloud-based delivery models. This shift business’s computers and servers, whereas cloud
is also associated with a key question: software is hosted and operated on a vendor’s
“Which solution is the most suitable for server farm and mostly accessed through a web
my business?” browser.
If you are wondering which option is more
secure, accessible, and affordable, you will In addition to accessibility, there are of course
find the answers to your questions in this other things that need to be considered when
white paper. making a decision: software ownership, cost of
ownership, software updates, backup strategy, and
According to a Gartner Study*, the cloud managed additional services such as security, support, and
services landscape is becoming increasingly implementation. Let’s explore all the pros and cons.
challenging and competitive.
Indeed, by 2022, up to 60% of companies will use
the public cloud services of an external service
provider, corresponding to a doubling of the Content
percentage of companies from 2018 and a volume
of 354.6 billion USD.   Cloud basics 3
The advantages of the cloud are clear: It offers
not only more agility and software that is always   Cloud benefits 5
up-to-date, it also eliminates hardware constraints.
Surprisingly, cloud vs. on-premise software   Costs 8
continues to be hotly debated.
  Risks resulting from on-premise
solutions10

  Pros and cons of public cloud

vs. private cloud (on-premise) 17

  Summary 21
* Source: Gartner, November 2019
https://www.gartner.com/en/newsroom/press-
releases/2019-11-13-gartner-forecasts-worldwide-   Contact 23
public-cloud-revenue-to-grow-17-percent-in-2020

Phoenix Contact 2
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

1 Cloud basics

Phoenix Contact 3
White paper | Secure Remote Services  Cloud basics

Cloud server

Service engineer Plant and machinery

Client software Remote gateway

Typical remote services cloud topology

Cloud-based remote access is a new type 1. Remote gateway

of secure remote service enabling flexible Remote gateways connect to equipment in the field
remote access to machines in the field. to access and control it.

The associated network typology consists 2. Cloud server

of three components: The cloud server is installed on a cloud-based
platform such as Amazon Web Services or
Microsoft Azure. It maps the connection requests
and, after successful authentication on both sides,
establishes a connection.

3. Client software
Client software is installed on the engineer’s mobile
device, PC, or desktop. The remote gateway and
client software initiate outbound secure connection
requests to the cloud server.

Phoenix Contact 4
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

2 Cloud benefits

Phoenix Contact 5
White paper | Secure Remote Services    Cloud benefits

Cloud-based remote access solutions cloud server. Furthermore, administrators can

implement network topologies that enable easily manage client accounts, remote gateways,
the creation of outbound connections in the and certificates without having to reconfigure them
form of remote access tunnels. By doing so, regularly.
they overcome the challenges presented by
traditional VPN and remote desktop control
technologies.
Enhanced security
In addition, cloud-based remote access offers
machine builders the following benefits: End-to-end encryption between a remote PC and a
piece of equipment prevents data leaks. The cloud
server only routes traffic: It does not decrypt or
store data that passes through.
User-friendliness
Machine builders use remote access for
Plug and play remote access means technical troubleshooting, monitoring, maintenance, and
configuration is no longer necessary. Security diagnostics. Remote access is typically not required
parameters, such as hash functions and on a continuous basis, and can therefore be used on
encryption/decryption algorithms, are configured an as-needed basis. This helps to minimize security
automatically. Machine builders do not need to issues and reduce costs, especially when remote
configure these parameters; they just need to click connectivity is based on a volume-dependent
on a button to establish a remote connection. pricing option, such as with cellular technology.

Virtual IP addresses make multi-point access Furthermore, machine operators take preference
effortless, with no field IP reconfiguration needed. over machine builders in terms of remote access
Irrespective of the initial IP addresses set up by to all applications on their local network. Limiting
machine builders, cloud-based software assigns access to only the applications machine builders
unique virtual IP addresses to machines. Machine need eliminates the risk of interfering with plant
builders can use these virtual IP addresses to operations. Cloud-based access lets machine
establish several simultaneous remote connections. operators initiate or accept remote connections.
In addition, machine builders can use identical IP Furthermore, machine operators can establish
schemes for different field sites without worrying rules as to which services and applications machine
about address conflicts. This, in turn, cuts builders can remotely use. They can also restrict
installation costs substantially. access to specific sets of service engineers.

Connections are centrally monitored and IT security policies are followed with no
managed. The cloud server is the central point for compromises. Cloud-based remote access
establishing and managing remote connections. solutions can build outbound connections using
Administrators can monitor the traffic status and the IPsec VPN ports 4500 and 500, which means
volume of each connection by connecting to the opening those ports for VPN traffic. Opening these

Phoenix Contact 6
White paper | Secure Remote Services    Cloud benefits

ports often means asking for trouble with IT and OEMs and machine builders require secure,
firewall managers. However, if the firewall-friendly easy-to-use, on-demand, and scalable remote access
service port 443 is used for this purpose (normally to their machines in the field.
reserved for secure website access using SSL) or 80
(reserved for unsecured website access) is used for Traditional on-premise access solutions are
remote access, this does not present any issues for cumbersome and require IT/networking knowledge,
managing IT departments. as well as changes in security/firewall policies.
This solution can be used without hesitation,
according to the IT security policies of the machine Remote access backed by a cloud-based
operator. management infrastructure can provide the
ease-of-use, flexibility, and scalability required by
OEMs, without compromising on security.

Flexibility and
scalability

The client software is not limited to specific

hardware platforms. Users can download client
software to any mobile device, laptop, or PC and
have remote access from anywhere and at any time,
as long as they have an active client account.

Remote access to equipment lets users act as if

they are locally connected. A transparent tunnel
connects the client with the remote equipment as
if they were on the same network. So, regardless of
the remote equipment being accessed (PLC, HMI,
etc.), and independent of the protocol used to pull
data or used for programming, machine builders
can remotely acquire data or program (remote)
equipment. They can use their own software
tools to do so, as if they were sitting next to the
equipment.

Remote access simplifies network expansion by

allowing network administrators to easily add and
remove equipment and manage client accounts and
certificates.

Phoenix Contact 7
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

3 Costs

Phoenix Contact 8
White paper | Secure Remote Services   Costs

A good way to look at the cost benefits This monthly subscription fee is almost always going
of a cloud-based solution is by using the to cost you more than paying the ongoing license
“iceberg” analogy – in other words, the bits fees for the software you have bought – so in that
you can see don’t make up the whole of the respect, an on-premise solution proves to be more
picture. Let’s start with the bits you can see: cost-effective long-term.
• Initial costs
• Subscriptions It does not end there, however – on-premise
• Software licenses solutions come with a huge number of hidden
costs that don’t show up on paper. Unless you
With an on-premise solution, your setup costs have a very efficient way of handling them, you will
are almost always going to be much higher. For normally end up paying significantly more with an
that reason alone, if you don’t want to make a on-premise solution than if you choose a hosted
significant investment, you’re better off with a cloud solution.
cloud solution – you simply pay a subscription fee
each month/quarter/year, rather than “buying”
the software.

On-Premises Cloud Computing

9%
Software licenses
68 %
Subscription fee

Customization and Implementation,

implementation customization
and training
Hardware

IT personnel

Maintenance

Training

Ongoing costs: Ongoing costs:

• Apply fixes, patches, upgrades • Subscription fee
• Downtime
• Performance tuning
• Rewrite customizations and integrations
• Upgrade dependent applications
• Ongoing burden on IT
• Maintain/upgrade hardware, network, security, database Source: People

Cost advantages of cloud-based solutions: visible and hidden costs

Phoenix Contact 9
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

4 Risks resulting from

on-premise solutions

Phoenix Contact 10
White paper | Secure Remote Services  Risks resulting from on-premise solutions

Building a private cloud in your on-premise However, private clouds come with a unique set of
data center can be a game changer. challenges. Adopting a private cloud exposes your
“Private cloud” implies the power of organization to several risks, some of which are
on-demand computing, at your disposal, not commonly known. What are these risks, and
with complete flexibility to construct a could they affect your decision to go for a private
technical solution tailored to your specific or public cloud? At the end of the day, the private
application needs. A private cloud releases cloud is still a cloud.
your dependence on the whims of providers
like Amazon Web Services (AWS) and
Microsoft Azure, allowing you to do things
your way. For example, you can store data
locally and manage compliance easily. Often,
these methods also result in significant
cost savings.

Phoenix Contact 11
White paper | Secure Remote Services    Risks resulting from on-premise solutions

Risk #1:
Security breaches

Private clouds can be less secure than public clouds. Public cloud
providers have years of experience and top-notch expertise in security. In many
cases they will have strategies, techniques, and tools to secure the various
layers of the cloud stack. Certainly, public clouds are a bigger target for hacker
attack. However, cloud vendors have an excellent understanding of cloud
security concerns and how to mitigate them, which as a private enterprise you
would have to learn.

Another concern is hybrid clouds. Security in a hybrid cloud is even more

complex. When you shift workloads from the private to the public cloud there
will be a transition from your internal security systems to those offered in the
public cloud. In this transition, as traffic and apps are crossing from one system
to another, there is a major risk of a “security lapse” that invites breaches.

Risk #2:
Performance

Performance is a well-known concern in virtualized environments. Because

of the highly dynamic nature of the environment, it is difficult to predict how
changing loads at the infrastructure level will effect application performance and
user experience.
Enterprises know their computing resources and how many machine instances
they have in the public cloud, but there are other things that can impact
performance – network bandwidth, latency and jitter, noisy neighbors on shared
computing resources, access speed, and more.

The private cloud offers much more flexibility in how the cloud is built. You
can select the hardware and software components, network infrastructure, and
topology you believe will result in optimal performance for your use case. But
will you really get the performance you think you will?

Just as public cloud vendors cannot always deliver the performance users need
due to the complexities of virtualized and dynamically changing infrastructures,
you also will not always meet your performance goal with your
private cloud.

Phoenix Contact 12
White paper | Secure Remote Services    Risks resulting from on-premise solutions

Hidden bottlenecks can occur in virtualized systems. Performance might vary

depending on the current mix of workloads, software upgrades from VMware,
OpenStack, or other elements of the system, and many other factors. Are
you sure that your infrastructure will perform under all use cases and ambient
conditions, including when it is upgraded?

Risk #3:
Expertise and learning curve

Private clouds have been around for awhile, and many are built using VMware’s
software infrastructure, which is well-known and has a large user base.
However, a growing number of private cloud projects are opting for the
powerful and more cost-effective option represented by open source platforms.
OpenStack is emerging as the new de facto standard for private clouds, but this
platform represents a big unknown.

If you do not have accomplished OpenStack experts on your team – and there
are not too many of those out there – it will be extremely challenging to get
an OpenStack project off the ground. In the OpenStack User Survey 2016,
users commented on the difficulty and complexity of working with OpenStack,
although the platform is improving in maturity.

If you do not do things right in the early stages of an OpenStack deployment,

you might experience significant difficulties later on. This might impact your
ability to build the private cloud with the precise capabilities you need and to
meet your timelines for milestones during your project.

Risk #4:
Lack of visibility

One of the reasons to move from the public to the private cloud is to gain
additional visibility into what’s happening in the cloud. A common perception
is that once it is in your own data center, you will have much greater
insight into things like workloads, usage, traffic, and performance.

Phoenix Contact 13
White paper | Secure Remote Services    Risks resulting from on-premise solutions

In the public cloud, there is no easy solution to gain insights on your network
traffic at the packet level. Existing monitoring tools, like Amazon’s CloudWatch
and CloudTrail, do not let you “look inside the packets” to perform advanced
diagnostics of network issues and prevent security problems.

In the private cloud, the situation is not much better. You’ll face the problem
of network traffic flowing between virtual machines (VMs) that does not touch
a physical wire, and which is thus completely invisible to traditional monitoring
tools. This traffic can account for 80% or more of the traffic in a
virtualized data center, creating a huge blind spot for IT teams.

Risk #5:
Limited scale

Many enterprises build a private cloud, as opposed to staying with a regular

data center, to gain the power of on-demand computing and to be able to
develop enterprise applications and services faster. However, at the end of the
day, your private cloud’s capacity will be constrained by your budget.

What happens if application usage is much higher than you expect? For
example, if you run a customer-facing service and there is an “explosion”
of usage, how will your cloud support it? You’ll be exposed to the risk of
overshooting your capacity, thus losing the economies of scale and cost savings
that led you to build your private cloud in the first place.

The classic solution to this problem is a hybrid cloud, enabling “cloud bursting”
from the private cloud to the public cloud if workloads overshoot your local
resources. But setting up a hybrid cloud adds cost and complexity to your
private cloud project. Furthermore, a common reason to build a private cloud
in the first place is compliance with internal policies or external regulations.

There might be an internal policy stating that highly confidential data

must be located on premise and must not leak to the public cloud
or a legal requirement that data cannot leave the country. Using a hybrid cloud
for peak loading in these scenarios might be problematic. How do you make
sure only non-sensitive workloads are load-balanced between private and public
clouds while keeping your confidential or regulation-affected information on
premise?

Phoenix Contact 14
White paper | Secure Remote Services    Risks resulting from on-premise solutions

Risk #6:
Limited services

This applies to more than scale or cloud services and capabilities. On a

public cloud like Amazon Web Services or Microsoft Azure, you have access
to a plethora of cloud services, both native and third-party. They offer you
everything from advanced management capabilities to auto scaling and high
availability, storage services, instant provisioning of databases and huge data
clusters, and so on.

You can use most of these capabilities in the private cloud, but you need to
plan for them and then spend time and money integrating and deploying these
features. In some cases, you even have to build capabilities from scratch.

In particular, high availability and resilience features provided by cloud

services like Amazon AWS are difficult to recreate in-house. A feature like
Multi-Availability Zones, which allows you to maintain replicas of machine
instances in different data centers, is not be possible in most private clouds.

The bottom line is that in a private cloud, you only have it if you have
built it yourself. If you didn’t include a certain feature, functionality, or regular
update in your project scope, you will be limited in your ability to innovate in
the private cloud.

Risk #7:
Data loss

According to data from Veritas*, many private cloud implementations are

exposed to major risks of data loss. Data loss can occur on three layers: the
hypervisor layer, the virtual machine layer, and the disaster recovery or backup
system layer.

Due to the dynamic nature of a private cloud, traditional techniques for

safeguarding data may not be enough and may not function in predictable
ways across all scenarios. There are also numerous possible misconfiguration
scenarios that can have disastrous consequences.

* https://www.veritas.com/information-center/enterprise-cloud-storage-ultimate-guide

Phoenix Contact 15
White paper | Secure Remote Services    Risks resulting from on-premise solutions

Running multiple versions of VMware ESX, with some using virtual machine
file system (VMFS) options unsupported by earlier versions, can lead to some
VMs failing, data loss, and downtime.

If a critical application is running on two VMs, with one live copy and one
backup copy, and one of them fails, there will usually be an automatic failover.
If that failover instantiates the backup on the same physical host as the live
copy, there is a single point of failure.

If there is a high-performance RAID 1 for production data and a lower

performance RAID 5 for archiving and staging, there might be a mismatch.
This will cause some VMs to write production data to the lower-performance
storage, causing performance degradation or data loss.

Phoenix Contact 16
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

5 Pros and cons of public cloud

vs. private cloud (on-premise)

Phoenix Contact 17
White paper | Secure Remote Services    Pros and cons of public cloud vs. private cloud (on-premise)

Cloud software
advantages

Access anywhere and at any time High level of security

You can access your applications anywhere and at Data centers employ security measures beyond
any time from any device over a web browser. what most businesses can afford. This means that
your data is often safer in the cloud than on a
Affordable server in your offices.
No up-front costs are incurred for the cloud.
Instead, you make regular payments, which makes Quick deployment
it an operating expense (OpEx). While the monthly Cloud-based software is deployed over the Internet
cost adds up over time, maintenance and support in a matter of hours or days, as opposed to
services are included, removing the need for annual on-premise applications which need to be installed
contracts. on a physical server and each PC or laptop.

Predictable costs Scalability

Benefit from predictable monthly payments that Cloud technologies provide greater flexibility since
cover software licenses, upgrades, support, and you only pay for your actual usage. You can also
daily back-ups. easily scale to meet demand, for example by adding
and scaling back licenses.
Worry-free IT
Because cloud software is hosted for you, you Lower energy costs
don’t need to worry about the maintenance of When you move to the cloud, you no longer have
your software or the hardware it is installed on; to pay to power on-premise servers or to maintain
compatibility and upgrades are taken care of by the their environment. This significantly reduces the
cloud service provider. amount you pay for your energy bills.

Phoenix Contact 18
White paper | Secure Remote Services    Pros and cons of public cloud vs. private cloud (on-premise)

Cloud software
disadvantages

Connectivity
Cloud solutions require reliable Internet access for
you to remain productive.

Long-term costs
Although requiring a lower upfront investment,
cloud applications can be more costly over the
course of the system’s life cycle, increasing the total
cost of ownership (TCO).

Less customizable
Cloud software is typically configurable, but a cloud
solution may not be able to cope with complex
development projects depending on how it is
hosted.

Phoenix Contact 19
White paper | Secure Remote Services    Pros and cons of public cloud vs. private cloud (on-premise)

On-premise On-premise
advantages disadvantages

Total cost of ownership Large capital expenditure

Since you are only paying for your user licenses On-premise systems usually require a large upfront
once, an on-premise solution can have lower total purchase, which means capital expenditure (CapEx)
cost of ownership (TCO) than a cloud system. is often required. In addition, you need to factor
in maintenance costs to ensure support and
Complete control functionality upgrades.
Your data, hardware, and software platforms are
all yours. You decide on the configuration, the Responsibility for maintenance
upgrades, and system changes. With an on-premise system, you are responsible for
maintaining server hardware and software, security
Up-time issues, data backups, storage, and disaster recovery.
With on-premise systems, you do not rely on This can be an issue for smaller companies that
Internet connectivity or external factors to access have limited budgets and technical IT resources.
your software.
Longer implementation times
On-premise implementations take longer due
to the time needed to complete installations on
servers and each individual computer/laptop.

Phoenix Contact 20
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

6 Summary

Phoenix Contact 21
White paper | Secure remote services – public cloud vs. private cloud (on-premise)  Summary

Why are
cloud-based remote services
better than on-premise solutions?
Cloud solutions are better than on-premise Providing real-time access to systems and data
solutions due to more than just their flexibility, from a variety of devices regardless of the location
reliability, and security. They also eliminate the and with guaranteed up-time of 99%, the cloud is
hassle of maintaining and updating your systems, becoming the number one choice for all enterprises
allowing you to invest your time, money, and using remote services.
resources in implementing your core business
strategies.

Remote maintenance
Cyber security

Instant remote access

Secure VPN infrastructure

Lower travel costs

Easy to use
Cost-effective

Phoenix Contact 22
White paper | Secure Remote Services – Public Cloud vs. Private Cloud (On-Premise)

Contact

Secure remote services

As a strategic product manager, I am always looking for the

best, not the most simple, answers for technology, design, user
experience, and speed.
The results are sustainable and outstanding products that prepare
the way for flexible access to your machines and systems in the
field.

Find the best remote service solution for your company and make Markus Scheibenpflug
a consulting appointment. Strategic Product Manager
­Communication Interfaces
https://phoe.co/mGuardSecureRemoteService ­Automation Infrastructure at
­Phoenix Contact

[email protected]

AI 03-21.006.L3

Phoenix Contact 23