Unless you’ve been on a very long sabbatical, you have no doubt heard about “cloud computing” as the future of information technology.

But the conversation is quickly morphing from a discussion of “the cloud” to a potentially confusing choice between “public clouds” and “private clouds.”

Definitions of cloud computing vary, but, until recently, most centered around the concept of moving computing functionality from behind corporate firewalls onto the Internet. A computing task moved to the cloud becomes a service provided by a third party in its own data center, allowing companies to scale down their huge investments in IT hardware, software, and staff.

So the advent of the term “private cloud” may strike you as an oxymoron, because it keeps much of the IT action behind a company’s firewall — and much of the expense on its books.

But many companies, particularly large ones, are moving more avidly toward private clouds than toward public ones. (Gartner forecasts that, through 2012, the top 1,000 global corporations will spend more on building private clouds than on buying public-cloud services.) Some, in fact, may be moving that way without even realizing it.

That’s because computing clouds depend largely on the virtualization of computer servers, which are configured to serve multiple applications, and on sophisticated automation that shifts work among the servers as efficiently as possible. Companies have been adopting greater virtualization for several years. How many of them would regard this effort as building a “private cloud” is an open question.

Regardless, by tapping the full power of virtualization, companies can create an IT environment that offers many of the advantages of public clouds — fast and easy application implementation, scalability of computing capacity according to demand, pay-as-you-go pricing, and, often, lower operating costs than with traditional IT. Private clouds may also offer better data security, which is often cited as a major concern when companies contemplate a move to the public cloud (see “Safe and Sound?” at the end of this article).

But before a company can opt for any of the many forms of public-cloud computing (applications via software-as-a-service, computing capacity via infrastructure-as-a-service, or an application-development environment via platform-as-a-service) or build its own private cloud, it will have to determine which route offers the most savings. Unfortunately, in this regard many companies are flying blind.

“Most companies don’t have a good handle on their IT costs, so they can’t legitimately say whether they will save money by moving to the cloud,” said David Smith, a Gartner analyst. That applies especially to very large companies: in a report published last December, Gartner estimated that only about 10% of the CIOs at the 2,000 largest global companies truly understand their costs.

Ric Telford, vice president of cloud services for IBM, points out that CFOs have a key role in weighing the cost considerations of a move to public or private clouds. That’s because the CFO is best positioned to assess the total cost of IT, including things like real estate, power consumption, and other factors that might escape a data-center manager’s attention.

John Kogan, who headed up finance at four different technology firms before becoming CEO of Proformative, an online resource for finance professionals, agrees. “CFOs’ lives are going to be directly impacted by cloud computing,” he says, “but they don’t know much about what public and private clouds are, or how they differ.”

Telford says both types of cloud computing save money compared with a traditional IT infrastructure, with private clouds producing about 60% to 80% of the savings compared with public clouds.

But results vary widely from one company to another, and in some cases opting for a public cloud may actually cost more. In particular, companies with large numbers of highly virtualized servers may not gain anything from putting most workloads into a public cloud, where the meter would be constantly running for thousands of employees. “We have 100,000 servers, so we always have sufficient capacity,” says Diane Bryant, CIO of Intel Corp. “I have no reason to pay for a service that I have the scale to provide internally.”

Despite its vast and efficient infrastructure, however, Intel does use some public-cloud services for a handful of back-office tasks, like payroll and employee expense reporting. “But there are very few of those,” Bryant says.

At the other end of the spectrum, Asahi Kesai Spandex America, a $70 million, independently operated subsidiary of Japanese conglomerate Asahi Kesai, maintains its manufacturing and warehouse systems in-house, but relies on a public-cloud service (from NetSuite) for its ERP. “It’s a necessity given the size of our company,” says CFO David Stover. “I can’t afford to have an IT specialist whose sole function is to manage an SAP system.”

Cloud computing has huge momentum, and plenty of genuine promise. But CFOs need to lead a careful financial analysis before their companies rush to either shed infrastructure in favor of a public cloud or invest in it further with the goal of creating a private cloud (not to mention “hybrid clouds” that shift work back and forth between public and private clouds; externally managed private-cloud services; and other permutations of the cloud concept). “Don’t do it for the sake of doing it,” says IBM’s Telford. “Too many times in the history of IT, companies have heard about some new thing and jumped on the bandwagon without doing the appropriate ROI analysis.”

David McCann is senior editor for technology at CFO.

Safe and Sound?

Regardless of its cost-saving potential, cloud computing often faces an uphill battle when it comes to concerns over data security. After all, data is flowing over a public network. While cloud firms can get a SAS 70 certification for their transaction-processing controls, there are not yet any widely accepted standards specifically for certifying cloud-computing security. Still, a recent report from Deloitte found that, “generally, the level of computer security, data-privacy practices, and expertise of major cloud-service providers are likely to be greater than those provided by an in-house IT staff and systems.”

“Everybody in the cloud business is working on hardening security,” says Brian Ott, vice president of the worldwide cloud program at Unisys. “Within two years, I believe it will no longer be the number-one issue making people hesitate to go into a public cloud.”

Cloud computing also poses a different sort of data-security risk: the chance that your data may be hard to move should you switch providers. Deloitte cautions cloud users about the danger of “lock-in,” that is, having your data managed in an operating system and associated architecture that inhibits portability. Intel CIO Diana Bryant agrees. “Providers will make it very easy for you to develop and run applications in their clouds,” she says, “but it may be very expensive to port it into a different one, and they know it. The last thing you want is to have no choice.” — D.M.