Hybrid and multi-cloud: flexibility and security
Public, private, hybrid or multi-cloud models are no longer purely an infrastructure issue. They form the backbone of modern IT strategies and help companies of all sizes to remain flexible, secure and future-proof. The challenge lies in finding the right combination – tailored to the business model, data requirements and legal regulations.
In the early days of cloud computing, companies were often faced with a seemingly binary choice: public or private cloud? Today, it is clear that this comparison no longer reflects reality. This is because the demands placed on IT infrastructures have become more complex: scalability and speed are important, but so are security, data protection, innovation and regulatory compliance. A single model can hardly meet all these requirements.
Public cloud
Public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud promise fast provisioning, flexible scaling and access to state-of-the-art technologies – from AI-supported analysis to serverless architectures. But this openness also comes with challenges: control over sensitive data decreases, billing models are difficult to calculate, and dependence on the respective provider can become a strategic risk.
Private cloud
Private clouds, on the other hand, offer maximum control over data and systems – a decisive advantage for companies with high data protection, security and compliance requirements. This model is particularly well established in regulated industries such as healthcare and financial services. But a private cloud strategy can also make sense for SMEs – not only for reasons of data security, but above all for pragmatic considerations. Many small and medium-sized enterprises do not have the necessary IT expertise in-house or deliberately choose not to deal with complex cloud architectures. The desire for a reliable, local partner and a focus on business continuity are paramount. IT service providers with a local presence enable such companies to benefit from the advantages of a private cloud without having to deal with the technical complexity themselves.
Hybrid and multi-cloud
Hybrid models allow the targeted combination of both worlds: companies keep sensitive data in the private cloud while using public cloud services for scalable applications or development. Multi-cloud strategies go one step further by using different providers in parallel – for example, to optimally distribute workloads or integrate specialised services in a targeted manner.
Strategic drivers for hybrid and multi-cloud architectures
The relevance of these strategies is impressively demonstrated by recent studies. According to CloudZero, 73% of companies surveyed worldwide use hybrid cloud infrastructures, while 87–89% already use multi-cloud architectures. Data from Europe also shows that the budget share for hybrid architectures is continuously increasing.
The motives behind this development are clear: companies want to become less dependent on individual providers, minimise downtime risks through distribution and, at the same time, reduce their IT costs through targeted workload placement. Added to this are requirements to comply with national data protection laws and the desire to gain access to innovative cloud services for AI, data analysis and automation.
[1] https://www.cloudzero.com/blog/cloud-computing-statistics/
Data sovereignty as strategic key
In an increasingly digitalised world, data sovereignty is becoming a fundamental requirement of any IT strategy. This applies not only to corporations and public authorities, but to companies of all sizes. This topic is currently the subject of intense debate, particularly in Switzerland. Even though international cloud providers now operate data centres in the EU or even in Switzerland, they are still subject to foreign law – in particular the US CLOUD Act.
For many companies, especially small and medium-sized enterprises, this raises the question: how can the flexibility of modern cloud services be combined with the guarantee of data sovereignty? The answer lies in sovereign cloud architectures that ensure data is processed within clearly defined legal and geographical boundaries, for example through a private or hybrid cloud operated in Swiss data centres.
This is exactly where we come in: with sovereign cloud solutions, we enable companies to combine digital innovation with maximum data sovereignty – regardless of company size or industry.
The downsides: complexity, control, competencies
As attractive as hybrid and multi-cloud models may appear on paper, many companies encounter limitations in practice. The challenges are less technical in nature and more structural and organisational. According to Fortinet's Cloud Security Report 2024[2], 59% of companies cite security and compliance risks as the biggest problem. This is because the different security standards and tools used by providers make it difficult to implement a consistent protection concept.
Controlling distributed systems also remains a challenge: 52% of respondents complain about a lack of transparency, incompatible APIs and a fragmented tool landscape. Added to this is the shortage of skilled workers: 49% of companies have difficulty finding qualified personnel for cloud architecture, automation and governance.
Standardising identity and access management (IAM) across providers is particularly complex. Anyone who wants to establish comprehensive monitoring, logging and security policies needs not only the right tools, but also a clear strategy and sufficient resources.
[2] https://www.fortinet.com/content/dam/fortinet/assets/reports/de_de/cloud-security-report-2024.pdf
Cloud-native workload distribution: What goes where?
One of the biggest efficiency levers in hybrid and multi-cloud environments is the correct allocation of workloads. Not only technical compatibility and performance requirements play a role here, but also business considerations and regulatory frameworks. Those who distribute their systems sensibly can not only minimise risks, but also save considerable costs.
A proven guideline is that applications with high resource requirements, dynamic usage patterns or low protection requirements can be operated efficiently in the public cloud. On the other hand, a private or sovereign cloud environment is recommended for data-sensitive, business-critical or highly regulated systems. Hybrid scenarios also enable differentiated placement, balancing flexibility and control in a targeted manner. Some typical usage patterns: Public cloud: Development and test systems, web applications, AI/ML projects with high resource requirements
- Private cloud: ERP systems, sensitive financial or health data, compliance-relevant archiving
- Hybrid cloud: CRM platforms, business intelligence, container orchestration with regional data storage
- Multi-cloud: Distributed analysis platforms, backup systems, GPU compute clusters or resilient data distribution between hyperscalers
This intelligent workload distribution not only makes organisational sense, but also brings tangible financial benefits: According to a study by Infoblox, it can reduce operating costs by up to 50% in hybrid and multi-cloud scenarios.
Technological foundation: open source, closed source, or both?
The choice of technological basis – whether open source or proprietary – is not only a question of functionality, but also of strategic orientation. Open source solutions offer maximum control, independence and adaptability – for example, when it comes to specific security or compliance requirements. Proprietary platforms, on the other hand, score points with ready-to-use services, high user-friendliness and integrated support. The decision is also a question of dependency: how much control do you want to retain and how much convenience are you willing to give up in return?
Open source is an essential component, especially in private cloud architectures. In our experience, where security, adaptability and long-term independence are the focus, open source technologies should be used as much as possible. These not only offer full transparency of the code, but also enable flexible integration and individual further development. This is a clear advantage when it comes to data sovereignty and regulatory requirements.
The key point is that the choice of technology does not have to be made alone. Experienced IT service providers can help with selecting and integrating the right solution. This often results in a mixed model: open source where individual customisation and data sovereignty are required; proprietary services where efficiency, availability and user-friendliness are paramount.
Implementation in stages: From analysis to operation
The introduction of hybrid and multi-cloud architectures is not a project that can be realised in one fell swoop. Rather, it requires a structured, iterative process that takes technical, organisational and cultural aspects into account. A six-step approach has proven successful:
- Inventory: Analysis of the existing IT landscape, security requirements, data flows and legal framework conditions.
- Target vision & architecture: Definition of a viable target architecture with a focus on automation, interoperability, security and governance.
- Piloting (proof of concept): Validation of the concept using selected workloads in a secure, controlled environment.
- Rollout & integration: Scaling the architecture, introducing infrastructure-as-code tools such as Terraform or Ansible, integration into existing systems.
- Operation & monitoring: Setting up comprehensive monitoring (e.g. SIEM, APM), securing data streams, performance optimisation.
- Change management: Ongoing training, process adaptation, establishing a cloud governance culture within the company.
AI and data sovereignty – sovereign models are gaining in importance
With the advent of generative AI systems such as large language models (LLMs), many companies are faced with the challenge of reconciling these powerful technologies with their data protection and data control requirements. Many companies see the use of publicly available AI services as problematic, for example when internal documents, customer data or strategic information are involved.
Private cloud environments offer an attractive alternative here: they enable AI models to be operated locally or in a sovereign infrastructure while maintaining full control over data flows. Companies can train their own models or enrich existing LLMs with their content in a targeted manner without migrating it to public cloud platforms.
MTF: Your partner for modern cloud strategies
Hybrid and multi-cloud models are no longer purely infrastructure issues – they are an expression of modern corporate management. Those who understand the cloud as a strategic tool gain flexibility, innovative strength and resilience. But these advantages come at a price: managing distributed systems, cultural change and growing security requirements demand targeted investments in governance, architecture and employee training.
The cloud is not an operating model, but an architectural principle. And those who think of it as such will make their IT fit for the future – technologically, organisationally and ecologically.
We support you in finding and implementing the right cloud architecture for your company. From analysis and implementation to long-term operation – with a focus on data sovereignty, security and future viability.
FAQs
What is the difference between hybrid cloud and multi-cloud?
A hybrid cloud combines private and public cloud environments – for example, sensitive data in the private cloud and scalable applications in the public cloud. Multi-cloud means using several cloud providers in parallel to reduce dependencies and make optimal use of specialised services.
Why is it not enough for global cloud providers to have data centres in Switzerland?
Although international providers operate locations in Switzerland, they are often still subject to foreign law, such as the US CLOUD Act. For maximum data sovereignty, architectures are needed that ensure data is processed within clearly defined legal and geographical boundaries – for example, in a sovereign Swiss private cloud.
Which applications belong in the public cloud and which in the private cloud?
As a rule of thumb, applications with high resource requirements or low protection needs, such as web applications or AI test projects, can be operated efficiently in the public cloud. Private clouds, on the other hand, are the ideal place for business-critical, data-sensitive or highly regulated systems such as ERP software and financial data.
What are the biggest hurdles to implementing a multi-cloud strategy?
The challenges are often less technical and more organisational in nature. These include security and compliance risks due to differing standards, a lack of transparency in distributed systems, and an acute shortage of experts in cloud architecture and governance.
How can I use generative AI (such as LLMs) without compromising my data security?
Instead of using public AI services, where sensitive company data could migrate, private cloud environments offer a secure alternative. They enable AI models to be trained and operated locally or on sovereign infrastructures, so that full control over your own data flows is maintained.
Why should we rely on open source technologies?
Open source offers maximum transparency, adaptability and independence from individual providers. Especially in private cloud architectures, where security and data sovereignty are the focus, open source solutions enable individual customisation and long-term control over the infrastructure.