When an organization is ready to deploy a new solution or build a new system, there is often a continuing discussion about the relative merits of using the cloud versus deploying on-premises. While there are several aspects that play into this decision, it is not always clear which is the better solution for security and compliance. Typically, deployment issues are not clear because security and compliance solutions quickly change when you are using shared vs. dedicated environments.
If you have ever gone camping, you may reflect on this analogy: You have the gear to go camping, but the best place to set up the tent is dependent on the terrain. For instance, you need to set up somewhere where the ground is firm and where the water will not gather under your tent. Similarly, when you want to set up your new system, the best location is where you can address security and compliance in the best manner.
Cloud service providers have worked diligently to improve security features, obtain compliance certifications, and offer some excellent security features native to the environments they sell to customers. Yet, many IT and security departments would rather that their most important data or systems be maintained in-house, on-premises, rather than moved to the cloud. They point to breaches that are reported as part of cloud-hosted systems, and the “gut feeling” that something is under their direct control must be better secured than when outsourced. But is that true?
The IT industry overall has been increasingly satisfied with the cloud – and certainly, the growing use of cloud services seems to point that way. And what better methodology should we use than the wisdom of the crowd? The answer is to stay logical about risk assessment and ensure that you know how and when to use cloud or on-premises solutions.
The Logic of the On-Premises Solution
The traditional on-premises (on-prem) solution is not merely the installation and operation of a system using in-house resources. Any new on-prem system is going to be part of the unique ecosystem of your organization’s interconnected systems. Part of that unique ecosystem is also a set of specific requirements that have created an existing culture and capability in relation to security controls. For organizations that seem to have the most difficulty deciding whether or not to use the cloud, it is not uncommon to find it is because they have a history of coming up with solutions their own way – and with some success.
How to Evaluate on-Prem
To evaluate the value of your on-prem option, it is worth examining a couple of challenging topics: 1) The current status of internal security controls in relation to the security and compliance requirements, and 2) the exact nature of the new project/issue that brings the on-prem question to bear.
The first issue requires a deep look in the mirror to honestly assess the capabilities of on-prem systems and capabilities and match these to the requirements of the new system. You may find that internal controls are designed for your specific security and compliance requirements, and it would be costly or complex to reset those controls in a cloud environment. This may be consistent with large organizations with a complex, custom data processing environment (seen often in government and research organizations).
But a self-assessment may uncover severe weaknesses or limitations to existing on-prem capabilities. It is not uncommon, even within organizations with significant resources, to find limitations that will cause new security or compliance problems (e.g., no room to grow, no more engineers to administer a new system, old or inappropriate software, security protocols, or systems). And for many organizations that find they must now meet security compliance programs (e.g. GDPR, HIPAA, ISO), the question is often: How to meet compliance to all controls within the mandatory framework – items like physical security, encryption, and advanced networking are very hard to do well, and can be resource intensive. Clarifying requirements will help you make the logical choice.
For the second issue, it is mandatory to examine the nature of your technical situation. It is not unusual for a new technical project to kick off a discussion of the on-prem vs. cloud. Examine that project for what the technical and security requirements are, and how close they match up with what the existing on-prem environment provides. If, for instance, there is a new project that will tie into legacy systems already hosted on-prem, then the decision to host the project on-prem may allow engineers and architects to use tools and systems they already understand, work behind existing firewalls, with solid security systems in place.
In this example, hosting within an existing, mature, and secure on-prem environment may pay off in improved time for development because the engineering teams can focus on the new functionality rather than integrating a system into a new environment. But for the system that: 1) uses new technology, 2) introduces new security or compliance requirements, 3) requires new and different resources than are typically hosted on-prem, the answer may be to use the cloud to offload some of the requirements to the cloud provider.
The Logic of the Cloud Solution
The cloud is, by definition, an extendible service solution. It is defined as a flexible extension of the traditional data processing environment which provides data processing, disk processing, or a processing environment on demand. But this is just a formal definition. The actual business of the cloud provider has expanded as customers and businesses have exploded across the marketplace.
The cloud, for many, means a more specific solution: For instance, a way to deploy enterprise software (e.g., MS Office); a rapid and secure means to supply network and back office services (preconfigured database servers, network load balancers and firewall and redundant systems); or an almost endless number of hosted software offerings.
The question is how to navigate your organization to take advantage of the cloud and all its possibilities. The answer is to attune your requirements to a specific cloud service that matches your requirements specifically. Take the example of an organization that has a new development project. Finding a provider that can host the infrastructure as a service (IaaS) may shorten the development time by outsourcing the development network and development tools. Alternatively, a project to host a new service, function, or capability in the cloud may allow you to take advantage of technology or security protections that the on-prem solution does not have.
This can be particularly helpful if your organization must suddenly be compliant with a compliance requirement that you are not capable of handling (e.g., PCI protection of cardholder data, or HIPAA PII/Privacy encryption solutions). Specific security and compliance requirements should result in a shortlist of cloud providers that can work for you. Work with the cloud provider to help you understand if the solution will work for you. In these cases, the option of running demos, beta, and rollout are largely outsourced to the cloud as well.
How to Determine if the Cloud is Right
Selecting a cloud provider is not always easy. If you cannot find an existing well-defined path to a secure solution, you may need to consider the amount of work and the “right” cloud provider. As with any significant project in IT, it is advisable to apply strong project management controls to clarify requirements and ensure success. It sometimes surprises organizations that they still need skilled engineering support and security personnel to make integration projects work.
Companies should take particular care in dealing with security fundamentals. This would include: integrated access and authentication mechanisms, vendor/supply chain verification and analysis, testing continuity and disaster recovery processes, documenting standard operating procedures, and ensuring the training and the engagement of the internal support staff.
One significant advantage of using the cloud should be that the cloud vendor is already assessed and certified to meet its obligations to comply with regulations and standards. This sounds good, but understand that while you can inherit cloud controls, your firm remains responsible for the security and compliance of your system. Make certain that you not only receive the cloud vendor’s attestation reports (e.g., SOC2 or other attestation) but also read it to ensure that you understand where their controls will not be sufficient for your compliance obligations.
A good decision support tool is to use compliance requirements as part of the decision process. Use the compliance framework as a feature checklist to ensure you get full coverage. Depending on the compliance framework, this might mean that the cloud environment covers 60% of controls, and the other 40% are internal to your firm. That is, while a cloud vendor’s certification controls can be used with your controls, it is still a system you own – and ultimately are responsible for.
Approaching the question of cloud vs. on-prem deployment of projects is really an opportunity to examine company systems and assess where best to deploy. As discussed, we can see there are scenarios where the deployment of on-prem solutions continues to make sense based on the controls and unique circumstances of the organization. For those that examine their environments and chose to deploy in the cloud, they should be careful to continue to follow good practices in project management and plan to make resources available to integrate smoothly.
The cost of IT systems procurement, design and engineering, operations, and maintenance is only part of the solution in today’s environment. Today, your clients or regulations may compel your system to meet high levels of security protection and compliance standards. Depending on the information you process or maintain, it is not unusual for privacy and security regulations to impact both sales and operations. These topics should be part of any decision regarding your IT projects and whether to use cloud or on-premises solutions.