Companies nowadays find themselves in a predicament: Digital markets demand ever faster innovation cycles, shorter time-to-market phases, and flexible scalability, while companies face great pressure to adhere to compliance requirements and not abandon existing IT infrastructures overnight.
As we have described in the first article of our cloud blog series, this poses a dilemma for many companies and organizations. For them, a black-and-white decision for or against the cloud is not a satisfactory option if they want to keep control over sensitive data while also leveraging such innovations as AI.
The hybrid cloud has established itself as a way out of this predicament. It can be considered a bridge between the agile world of the public cloud and the secure infrastructure of the private cloud, or traditional data center. Unlike pure public clouds, hybrid clouds allow companies to keep certain systems, data, or applications completely under their own control without having to forego modern cloud functionalities.
The concept is not new, but only through more sophisticated tools for data integration, hybrid networks, and security solutions has the hybrid cloud become truly manageable – and increasingly business-relevant.
The use of terms around «hybrid», «multi-cloud», and «private cloud» is often imprecise. But the hybrid cloud can be clearly defined by its functional integration: A hybrid IT infrastructure combines at least one private cloud component with a public cloud platform such as AWS, Azure from Microsoft, or Google Cloud to create an integrated solution.
Instead of radically shifting all processes to the cloud, more and more companies are connecting their own data centers to external hyperscaler platforms. The key advantage here is the ability to move workloads and data dynamically between environments: For example, the data storage remains at home, while computing power is added from the cloud whenever required. This is not only a technical but also a strategic connection. It allows for a flexible distribution of resources while always staying in control.
This connection is why the hybrid cloud is a strategic enabler for many companies, especially for those in regulated industries.
What sounds like an IT fine-tuning is actually a foundation in the current age of IT. Because with a hybrid cloud, companies can do both: preserve the old and use the new. It is a silent mediator between legacy systems and the digital future.
The hybrid cloud has proven itself in practice as a strategic tool for very specific challenges. If you want use data efficiently but also protect sensitive information, you rely on an architecture that allows both: control and scalability. A look at four key sectors in Switzerland shows how differently the hybrid approach is used and how tangible its impact is.
In the manufacturing industry, everything is about the pace of production (Industry 4.0 approaches). Companies employ sensors in their machines to measure temperature, vibration, and pressure in real time. This data first flows into the local infrastructure, providing it to system control with as little latency as possible. Only for further (and resource-hungry) analysis is it mirrored in the cloud. There, AI calculates when the next bearing defect or loss of lubricant can be expected – long before the machine actually breaks down.
For several years now, the University Hospital Basel has been using a solution that stores sensitive patient data locally and protects it in an on-premises system with a Scality RING architecture. This architecture is a highly scalable, software-based storage solution that has been specially developed for object and file-based data and is suitable for cloud, backup, archiving, and media-intensive applications.
At the same time, imaging processes, such as the evaluation of X-ray and MRT images, run via a cloud-based AI. The scalable computing power speeds up diagnosis, while the hospital retains complete sovereignty over the data. An important point in an industry that is subject to strict data protection and documentation obligations.
The Federal Office of Information Technology, Systems, and Telecommunication (FOITT) is currently in the process of developing the Swiss Government Cloud. This is a hybrid cloud strategy that will be introduced in stages until 2032. The aim is to relocate cantonal and communal services, such as e-government platforms or appointment scheduling systems, to the public cloud if required, while retaining control over personal data. These are to remain on private servers within the federal infrastructure. The concept not only offers flexibility, but also meets the high requirements for IT sovereignty that are essential in the government context.
In the financial sector, it is the regulatory framework that makes the difference – combined with a growing need for a digital customer experience. While critical data – such as account information, proofs of identity, and credit agreements – remains strictly within protected private cloud environments, new services such as budget planning, portfolio analysis, and digital communications are realized in the public cloud. This allows banks to respond to new customer expectations without violating FINMA or GDPR regulations.
What all these examples have in common is their diversity. This is because the hybrid cloud does not follow a fixed model – it is based on the reality of each industry. In manufacturing, it guarantees stable control and predictive maintenance; in healthcare, it ensures data exchange with maximum computing power. The administration uses them to distribute resources efficiently without giving up control. And the financial sector benefits from an architecture that reconciles innovation and regulation. This turns a technical concept into a differentiated strategy - and theory into tangible everyday life.
The hybrid cloud is considered the strategic IT model of the future – flexible, secure, and expandable. However, it is not the right path for everyone. Especially when simplicity, speed, or scarce resources are at the center of attention, it can quickly become overwhelming.
Start-ups are a typical example of this. Anyone starting out without technical legacy issues generally relies on cloud-native systems – and for good reason. Instead of dealing with complex integrations or governance structures, speed and scalability are what count here. The focus is on rapid market entry, not on lengthy infrastructure maintenance.
Small companies with a limited IT budget or lacking their own specialist department are often better off with simpler models. Standardized Software-as-a-Service (SaaS) solutions – for accounting, warehouse management, or communication, for example – are not only cheaper in such cases, but also require less maintenance. Eurostat confirms: Over 40% of small enterprises in the EU today rely on cloud services, which predominantly are operated as completely outsourced solutions.
Organizations operating in remote regions or emerging countries may quickly reach the technical limits of hybrid architectures. A lack of fiber optic connections, unstable networks, or poor latency often make reliable coupling between local infrastructure and cloud services simply impossible. In such cases, an on-premises infrastructure is preferable.
The idea that you can simply combine two worlds and thus get the best out of both is deceptive. In reality, the hybrid cloud requires a high degree of discipline and expertise: If you don't know exactly how systems talk to each other, where sensitive transitions take place, or which data is allowed where, you risk more than just performance problems. Security gaps, cost explosions, or legal conflicts may be the result.
Accordingly, technical integration alone is not enough. Coordinated processes, roles, and control mechanisms are just as crucial, especially in the case of hybrid architectures, which must function seamlessly but also transparently.
And then there are the costs. What promises savings with good planning can become a bottomless pit with unclear control. This is because cloud providers do not calculate in monthly charges, but in milliseconds and gigabytes. Those who don't measure what they're using will quickly pay too much and only realize it when it's too late.
As Daniel Hogg, Head of Architecture at Adnovum, puts it succinctly:
|
«The hybrid cloud transforms technical diversity into an operational complexity that can only be mastered through clear processes for monitoring, cost control, and governance.» Daniel Hogg |
|
Our architecture expert Daniel Hogg, Head of Architecture, emphasizes that the success of a hybrid cloud architecture rarely depends on the technologies used; more important is the way in which on-premises systems are integrated with public and/or private cloud resources. The top priority should be planning a standardized, secure, and resilient architecture to avoid ending up in the long term with a patchwork of poorly coordinated services suffering from performance bottlenecks and security gaps.
Our experience from various client projects in regulated industries shows that properly planned hybrid architectures can increase the performance of an organization, provided attention is paid to the following pitfalls when setting them up:
On the network side, a hybrid environment is a cycle from an on-premises environment (on-prem) to the cloud and back again. An incorrectly configured or undersized connection can lead to latency peaks, unpredictable throughput, or even complete failures. If all connections only run via public networks, for example, an interruption of the internet connection between on-prem and the cloud will inevitably lead to a system failure with potentially negative consequences in terms of customer satisfaction and sales. One recommendation is to use, on the one hand, a cost-effective VPN for short-term, less critical connections (e.g., test and development environments) and applications with low bandwidth requirements and time-uncritical data transmission; and, on the other, a private dedicated connection for highly available and high-performance applications that require guaranteed bandwidth (e.g., real-time transaction systems in the financial sector).
Pitfalls:
Recommendations:
Security should never be optional and must be integrated into any architecture from the very beginning. This holds especially true for hybrid cloud infrastructures, where different security mechanisms and standards come together, posing an increased compliance risk.
For example, different identity systems in the cloud and on-prem can mean that changes have to be adjusted and synchronized constantly. When employees change roles in one system, this must be promptly reflected in the other system to adhere to the principle of least privilege and meet legal requirements. Centralized control over access rights management can minimize this complexity and thus the risk of inadvertent unauthorized access.
Pitfalls:
Recommendations:
A hybrid approach increases the complexity of the resilience strategy many times over, as various sources of failure must be considered for outage scenarios. For example, if customer data is stored exclusively in the on-premises data center, an automatic failover with a second location and/or in the cloud should be set up to avoid long-term service interruptions in the event of a power failure.
Pitfalls:
Recommendations:
Capacity issues can occur both in the cloud and on-prem, with on-prem scaling needing to be aligned with that in the cloud. For example, workloads in the cloud can easily handle sudden load peaks through auto-scaling, while on-prem databases and application servers may not be able to process the data fast enough, resulting in long response times and timeouts. Appropriate capacity planning with an identification of the slowest elements is therefore important in order to avoid bottlenecks.
Pitfalls:
Recommendations:
Without a unified view of workloads and their dependencies, the hybrid cloud can quickly become a blind spot when different management and monitoring systems are in use. In such circumstances, a failure of critical components is often noticed too late, making troubleshooting much longer.
Pitfalls:
Recommendations:
Conclusion
The hybrid promise of «flexibility without loss of control» can only be fulfilled through disciplined planning in the areas of connectivity, security, resilience, capacity, and monitoring.
Standardization and consistency play an important role here, as they facilitate automation and minimize sources of error. Breaks in architecture or processes, on the other hand, create «patchworks» with higher operational effort, security gaps, and unpredictable performance. The architectural principle of loose coupling also helps to ensure resilience if each environment (cloud and on-prem) can continue to operate in a limited but functional mode in an emergency if the other fails.
For regulated industries, attention must also be paid to compliance. Here, trust through traceability is achieved with centrally controlled identities, seamless encryption with controlled keys, private connectivity, routine disaster/recovery tests, retention and backup proofs, as well as central monitoring and alerting for the entire hybrid environment.
A hybrid infrastructure offers the flexibility to deploy resources where they fit best. However, a hybrid architecture shifts the security and data protection challenges to an interplay of at least two different environments.
In the local infrastructure, classic security mechanisms and processes come into play, while the public cloud gives rise to new issues, e.g., tenant isolation, rights management in the cloud, API security, data encryption, and many more.
This typically means greater complexity, which, as we know, is already a security risk in itself.
When operating two or more heterogeneous environments, there can be unpleasant consequences: Unclear responsibilities, data localization issues, lacking interoperability at, for example, the encryption and rights management levels, lacking visibility of the various systems, decentralized log management, and, last but not least, a dearth of specialists who are familiar with both on-premises and modern cloud security systems.
Avoiding these pitfalls requires not only clear technological architecture planning but also strong security governance in general and from the outset: Thoroughly examined business processes, clear documentation, clear roles and responsibilities, new contractual arrangements with cloud providers and also with other outsourcing partners, an understanding of the shared responsibility model and, finally, carefully considered incident response processes. The goal must be a security administration that is as homogeneous as possible.
Security and data protection processes such as encryption, key management, IAM processes, endpoint security, log analysis (SIEM/SOAR), data minimization, and consent management must be seamlessly integrated into both environments wherever possible and be managed centrally.
Where possible, automation must be used to minimize the risk of manual errors. Such topics as asset and configuration management, as well as log management and analysis, have been giving companies headaches for years. Here, cloud environments offer very attractive opportunities. By putting APIs into play, servers, load balancers, and other systems can be configured securely, set up homogeneously, and monitored automatically. Many principles of cloud automation are now also usable on-premises with the help of modern automation and orchestration tools (e.g., Terraform).
Above all, employees need practical experience with cloud migrations and in managing hybrid environments. Specifically, this means experience in cloud architecture and with relevant tools (e.g., IaC – Terraform, Pulumi), in security engineering (IAM, zero trust, KMS, SIEM), and network engineering (SD-WAN, VPN, subnetting, segmentation), as well as in governance, risk, and compliance. Certain certifications are also interesting, and certain vendor certificates very much so, especially in the area of hyperscalers. Finally, the area of data protection should not be neglected either, a topic that goes far beyond technical boundaries into fine business process-related and legal details.
A hybrid infrastructure offers the flexibility to organize operations in a future-proof way. To ensure security and data protection, a clear architecture, strong security controls, and a robust and transparent approach to data protection must be established from the start. Of particular importance are automation and the centralization of security controls that are seamlessly integrated into all environments.
The hybrid promise of «flexibility without loss of control» can only be fulfilled through disciplined planning in the areas of connectivity, security, resilience, capacity, and monitoring.
You can buy servers, scale infrastructure, license software. But the hybrid cloud is more than that – it's not a commodity, it's a choice. A strategic approach that cannot be measured in lines of code or budget items. Companies that choose this path are not opting for a specific technology – but for a new way of dealing with responsibility, risk, and change.
Because the hybrid cloud requires nothing less than a change of perspective. Those who use it do not simply relinquish control but consciously distribute it. Between internal and external. Between what must remain in-house and what can be safely outsourced.
This requires trust – in your own IT, in established processes, but also in partners and platforms that are outside your direct sphere of influence. It is a balancing act that requires both planning and courage: Which systems shall remain? Which data can go where? Where does flexibility begin and where does security end?
Whoever dares this balancing act wins. Not overnight, not at the click of a mouse. But step by step – with every project, every use case, every improvement. The hybrid cloud is not a goal but a tool. But one that gives companies exactly what they need in a constantly changing market: room to maneuver.
The freedom to grow without losing control. The opportunity to innovate without becoming alienated from your core. In the end, it is an attitude: to create rather than manage, to integrate rather than isolate.
Those who are ready to rethink responsibility will turn IT into a strategic backbone, not a defensive bulwark. This is exactly what the hybrid cloud is for.
In the upcoming final part of the 2025 blog series, we will take a look at the multi-cloud as an IT strategy.
[snippet_article_cta id="hybrid_cloud"]