What’s more secure? A cloud-based or on-prem document management system?


It’s a question that gets asked a lot in our industry. 


So, I invited Mark Richman, Principal Product Manager at iManage, on to the show for a wide-ranging discussion on the topic.


In this episode, we discuss:

  • Why a SaaS-based document management system is more secure than on-prem
  • Implementing compensating controls to mitigate potential damages
  • iManage’s customer-managed encryption keys and threat manager
  • What a cloud provider should be doing from a security perspective

SaaS-based document management is more secure


When deciding on a document management system, ease of use is a major driver. The trick is to make the system easy to use and simultaneously as secure as possible.


SaaS solution providers accommodate for the security aspect in their development roadmaps because it’s a serious competitive advantage that can feed their sales pipelines.


While on-prem implementation may receive maintenance and upgrades, it will likely also cost more over time, compared with the subscription fee for a SaaS solution. In a zero-trust environment, you need to prepare for the worst all the time. Maintenance intervals may be too far and few between, to adequately protect against malicious attacks.

“A cloud solution is, generally speaking, going to be more secure than an on-prem solution.” — Mark Richman

Controls and contingency: mitigate document management risk


Choosing a cloud-based system doesn’t mean that you can sit back and relax.


Mark’s team takes a shared responsibility approach:

  • Clients want solution providers to take on more of the risk management work.
  • The shared goal is to increase the likelihood that attacks will be completely prevented (rather than requiring remedies).
  • Although clients are responsible for the data they input, iManage continues to think of ways to support customers in managing data responsibly.
  • Accounts, devices and identities are all covered.


In a SaaS context, the architecture and product levels should provide security confidence. It’s possible to use automation and several smart tools to reduce dependency on human input and maintain security policies. Features can be developed, but it’s down to the user to apply them operationally.


Here are some examples of what providers can offer, but not control, in terms of additional solution security:

  • 2FA
  • Minimum password strength requirements
  • Segmented user permissions


By exploring and then extending control opportunities to customers, iManage actively prevents both intentional and unintentional disasters.


Encryption and threats: iManage enables customer control

Customer-managed encryption keys


All of the data that a customer houses in iManage’s system is encrypted by default. It’s an extremely strong encryption foundation, but Mark also recognizes that overconfidence brings risk.


To ensure that even iManage doesn’t present a breach risk, customers are empowered with additional control over their respective encryption keys. This prevents iManage from accessing the encryption key. The system can still use the keys to encrypt and decrypt data but can’t access it, so customers could revoke the keys independently at any time.


The caveat with this is that there’s little iManage can do to assist a customer who has opted for this control but has misplaced or lost access to their own encryption keys. As the saying goes, with great power comes great responsibility.

“Customers are increasingly looking to shift more of that shared responsibility to the cloud vendor who has expertise.” — Mark Richman


Threat analytics and management


When it comes to threat management, Mark mentions the importance of educating the customer. Even the most comprehensive solutions can be used incorrectly. Consistent communication and support therefore become critical.


With any feature that a customer decides to use or not use, there is a clear explanation of the parameters that come with it.


Additionally, usage data is processed through AI and ML to help detect anomalies and suspicious behavior. An example of this might be that, despite the system prompts, a user selects the bare minimum password strength. If an attacker bypasses that and suddenly begins to download masses of data, the system is able to detect this usage anomaly and send out alerts about it.


Cloud providers and security


Most organizations work on assumption when it comes to security, which is where risk really begins.


Mark’s team thinks of all the angles:

  • Content security during storage and transit
  • Security-first application and device usage and management
  • Appropriate system configuration
  • Data backups as risk vectors


Here’s Mark’s advice for cloud providers when it comes to security:

  • Try to take a security-first approach to everything that you do.
  • Update solution architecture in line with changing market dynamics and demands.
  • Maintain awareness of, and accommodate for, constantly developing threats.
  • Embrace attestations, accreditation and certification audits as you build your compliance- and security-related reputation.
  • Run practice rounds and threat simulations to stay on top of response and containment protocols.


“It’s about building a smart architecture, validating that with a bunch of certifications and attestations, and then also, practicing in real time to ensure that the day when that threat does come, that you’re well-prepared to handle it in real time.” — Mark Richman


To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.