What Does It Take to Manage an On-Premise vs Cloud Data Security Product?

Before we ponder this question, let’s first understand the major differences between an on-premise and a cloud data security product. An on-premise data security product means the management console is on the enterprise customer’s premises, whereas the security vendor hosts a cloud data security product in the cloud. Security vendors aid customers by providing clear guidance on installing and maintaining an on-premise solution. Customers are responsible for the hardware, OS, and product configuration to protect against threats and sensitive data leaks. The security vendors manage cloud solutions, and enterprise customers must configure the product to meet their needs.

You might ask, "Why would an enterprise customer take on the burden of managing the installation and maintenance of the product, given that configuring and making it work already poses a significant toll on them?" Great question! Not all enterprise customers are comfortable having their data stored in the cloud along with other customers (typically, this happens in a multi-tenant cloud deployment). You might wonder why not opt for a private cloud. Of course, they can opt for a private cloud, nevertheless, the data is not entirely under their control. Security vendors manage the account and the data.

Next, let’s look at the data retained in a security product, which customers are often concerned about. An enterprise data security product contains all the policies and incidents. All the security policies about an organization, which include sensitive data, are stored in the security product. When configuring a security policy, specifically data leak prevention policies, the customer must provide the sensitive data they need to protect, since the product itself cannot determine which data is sensitive to that customer. Sensitive data could include a complete set of sensitive documents so the security product can index and learn from the data to protect similar documents in the field.

Additionally, incidents contain super-sensitive content. A security incident is created only when a threat, data breach, or suspicious activity is detected in the organization, whether in transit or storage, with unexpected access permissions. Hence, a security incident typically contains the sensitive data in question, making incident storage a prime target for attackers as it inherently contains all the sensitive data breach information from past incidents.

You might ask why a customer would retain sensitive security incidents and not remove them immediately after inspection and investigation to reduce the exposure time window. First, the inspection and investigation process you are thinking about could take weeks to months. Additionally, for compliance and regulatory reasons, customers are often required to retain their past security incidents for at least a year. Some financial organizations have regulations to keep them for seven long years.

Returning to our original question, now you know why some customers prefer to manage the solution on their premises rather than in the cloud. Although the management console and the storage of policies and incidents are on-premise, the solution can interact with other modules and agents in the cloud to protect data. Nowadays, all customers use cloud applications for their business in one way or another. Therefore, an on-premise solution doesn’t mean it can’t protect cloud data or the data of a remote employee who might be located in a different part of the world from the installation data center.

Management of a Cloud Data Security Solution

Management of a cloud data security solution is simpler compared to an on-premise solution. The security vendor typically manages product installations, upgrades, and service disruptions. They also offer guarantees for storage management and account isolation. As cloud solution developers, you have more freedom and control, allowing you to roll out updates as needed and revert software in case of vulnerabilities. Cloud platforms like Azure, Amazon, or Google provide auto-scaling microservices, proxies, and load balancers, making it easier for security vendors to manage solutions. The primary guarantee required is the ethical use of customer data and the prevention of cross-contamination between customers, as this would violate the basic premise of why an enterprise customer needs a security solution.

What is the role of the customer in a cloud solution? Let’s dig deeper. Customers using a cloud solution should first configure all enforcement points. For instance, if their organization uses Box and Google Cloud for document storage and Gmail for corporate email, they need to configure these administrator accounts on the data security product. Hence, it has the right credentials to scan the data. They must also ensure all email traffic passes through the data security product to scan for threats and sensitive data. 

Similarly, other enforcement points, like employee laptops, must be configured. Once all enforcement points are covered, the next step is to define security policies to enforce the rules. Security policies targeted at the enforcement points produce security incidents, which need to be remediated, either automatically or manually. Customers are expected to set incident remediation and closure steps on the cloud product. Reporting, analytics, and other features help customers assess the entire organization’s threat level and security posture.

In certain cases, a cloud solution might involve some on-premise components, like satellite servers, to protect on-premise elements. In those instances, customers are expected to maintain those components that are hosted on their premises whereas security vendors would manage cloud components. A hybrid solution can have most components in the cloud and some on-premise, or vice versa.

As a concluding remark on managing a cloud solution, all business integrations and workflows for a customer should happen in the cloud. Developers must account for such integrations and customers' other non-functional requirements like scale and performance.

Management of an On-Premise Data Security Solution

Customers must first procure the necessary hardware and all associated software required to install the on-premise solution in their environment. Once the hardware specifications and dependency software are installed on the recommended OS platforms, customers can proceed with installing the on-premise solution. Typically, all management solutions for a security product require a database to store data. Customers must ensure that encryption policies are appropriately set and that all communication between various components of the security product is secured.

Next, similar to a cloud solution setup, enforcement points need to be addressed. Enforcement points can be located on-premises or in the cloud. If in the cloud, the customer must work with the security vendor to set up the appropriate cloud components to communicate with the management console. The customer needs to install these components, if on-premises, such as with an agent or a network tap server. Typically, agents are installed on endpoints via software pushes across the organization to monitor all activities. Once the enforcement points and network data flows are configured, the next step is to consider scaling, backups, and disaster recovery. When installing a component, some customers also deploy backup servers for high availability (HA) and disaster recovery (DR). Solutions can operate in either Active-Active or Active-Passive mode in HA/DR setups.

Security policies and incident management for on-premise solutions are similar to those for cloud solutions, with one key difference: security incidents are stored in the customer environment, and the customer is responsible for managing and retaining these incidents in compliance with relevant data regulations.

Developers working on on-premise solutions cannot control when the software will be upgraded. Therefore, they need to be cautious about the features they introduce. Typically, only high-quality features with well-vetted business justifications are included in an on-premise solution. Once a feature is integrated, it can take a long time for the security vendor to stop supporting it, as upgrades depend on customer schedules.

Issues often arise with upgrades and compatibility — both backward and forward — between components. Not all security vendors focus on upgrade use cases. For customers, business continuity is paramount. They cannot afford to take down the entire data security product for a few days to upgrade all associated software and get it back online. This is unacceptable. As a developer, you must consider these use cases for compatibility between different components. 

In cloud environments, there is a similar concern, but cloud solutions typically use blue-green deployment strategies, allowing for nearly instantaneous switching between versions. In on-premise environments, customers do not usually have double the amount of hardware necessary to implement such a solution.

On-premise upgrades would also require customers to upgrade their OS platform, patch any security vulnerabilities, and maintain the entirety of the deployment and the upgrades. However, even with all these maintenance tasks, on-premise might give the peace of mind to the customers that they are looking for.

Conclusion

Both on-premise and cloud-based solutions have their own merits and demerits. It is not possible to declare one solution as universally superior to the other. Customers need to work with security vendors to determine what works best for their specific use cases and requirements and choose the most appropriate software accordingly.