December 3, 2021

Last Updated on January 18, 2024

As security consultants, we’re often asked: all things considered, which are more secure —cloud-based or an on-premises solutions?

To talk about leading-edge SaaS security in general and document management system (DMS) security in particular, we invited Mark Richman, Principal Product Manager at iManage, to join a recent episode of The Virtual CISO Podcast. Hosting the show as usual is John Verry, Pivot Point Security CISO and Managing Partner.

Balancing ease of configuration with security

As Mark points out, on-prem software vendors are incented to simplify the installation and configuration process, which can weaken security.

“In general, I would say a SaaS-based solution is going to be more secure than an on-prem solution,” Mark offers. “I think there’s a couple of reasons for that. When you’re trying to deliver an on-premises solution, one of the chief things you’re keeping in mind is making it easy to deploy and configure for the person you’re handing it over to.”

“In some cases, there’s a tension there between making it easy to deploy, install and configure with making it as secure as possible,” continues Mark. “And, certainly, the SaaS vendor is incented to try to keep the content on the platform as secure as possible. It has already sunk the cost into the setup and configuration in that architecture.”

“So, the SaaS cloud platform vendor can really make the necessary investments into that architecture, and get their deployment pipelines and so forth setup in such a way that it’s as secure as possible.”

Embracing Zero Trust

Starting with a different “trust model”—specifically Zero Trust—can also help SaaS providers achieve a level of security that is very difficult for on-prem environments to match.

Most on-prem software providers logically assume that their customers have traditional security models where what’s inside the firewall is largely trusted. Whereas SaaS vendors like iManage are moving towards Zero Trust architectures, which assume that, as John puts it, “You are living amongst your enemies and you’re constantly under attack. The whole philosophy by which you develop the software is radically different at that point.”

“It depends.”

In each specific environment, security is as security does.

“Certainly an on-premise person can invest the time and energy into making something really secure,” Mark observes. “And, certainly, a cloud vendor can not put the time and effort into making something secure. But on balance I would say that a could solution is generally speaking going to be more secure than an on-prem solution.”

So, bottom line, is cloud more secure that on-prem? It depends. But if you pick the right SaaS vendor, you’re in a position to have a more secure solution overall—assuming you’re taking an appropriate level of responsibility for security on your end. If not, then you’re still vulnerable no matter what your vendor does.

What’s Next?

To listen to the full episode with Mark Richman from iManage, click here: LINK

For more tips on evaluating a cloud vendor’s security posture, check out this podcast with SaaS security advisor Ryan Buckley:

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!