Cloud vs. on-prem: A CISO weighs the options

1. Security responsibilities and shared security models

By definition, if you are on-premises, you own 100% of the tech stack. However, if you go with a cloud service provider, your firm is only responsible for system configuration and application-level security, while your service provider protects the physical systems and the networks up to the operating system level.

In other words, on-premises firms are responsible for security from top to bottom, across all layers of the tech stack. Infrastructure, platform and software-as-a-service vendors handle various levels of security in the tech stack.

For example, when a firm purchases Intapp products, Intapp takes on the system configuration and applicational software-level security controls to protect the client firm's data. We deliver our solutions on a Microsoft Azure-based industry cloud, leveraging Microsoft's physical systems, networking, and base-level machine security controls. However, the client firm still has some security control responsibility, primarily with regards to identity and access management, which remain largely up to the client.

When it comes to costs, the cloud infrastructure and the software provider split the cost (potentially over hundreds or thousands of clients) of maintaining the security of the infrastructure. For a firm building on-premises, they take on the entire cost of maintaining, upgrading, and executing their security controls and models.

2. Cloud security vs. on-premises security

Many firm decision-makers believe that their organizations have unique needs that require unique security controls that a cloud-hosting provider can't offer. But the reality is, no firm has truly unique networking needs since all networks use the same IP protocol stack.

As an independent firm looking to maintain your own on-prem system, you likely have had a hard time competing for the resources and security experts to build and operate it. Perhaps the very largest law firms can recruit highly experienced teams, but most firms will struggle to get the right people to maintain, upgrade, and secure applications through an on-premises solution.

The bottom line is that the large cloud infrastructure providers are more secure. There hasn't been any real network or system-level breach of any of the top five cloud infrastructure companies, as they have cornered the market with the best talent and security capabilities available.

3. Cost considerations of on-premises vs. cloud infrastructure

To put it bluntly, an on-premises infrastructure is not cheap. While it's widely understood that there's a high initial cost to build on-premises, there's also a common misconception that maintenance costs will be lower. Regarding cloud hosting, there's a similar misconception that while onboarding costs may be lower, the long-term subscription costs will be higher.

However, the truth is that an on-prem approach can be considerably more expensive overall. An on-premises deployment includes high costs not only for set-up, but also for staffing and retaining an expert team and maintaining and upgrading the system.

Another common pitfall: A firm hires an expert team to build them a system, but then those experts move on because they're "builders," not "maintainers." The firm then struggles to maintain their highly customized on-premises products. On the other hand, cloud providers like Intapp can maintain the system and amortize over thousands of customers.

4. Security monitoring, incident response, and compliance requirements

When it comes to security monitoring and incident response, cloud deployment is hands-down the better option. Cloud providers look at threats holistically and can apply protections across the board for all of their clients. In addition, if they're monitoring across many law firms and there's a legal-specific security threat, the cloud provider can resolve the issue and apply it across all legal clients.

Here's something else to consider: If a law changes, cloud providers have the resources and flexibility to make those changes across the board to alter the requisite business flow, so that all law firms are in compliance. But if a firm built a system five years ago based on different laws, that firm may not have the in-house expertise to easily or promptly make the change. There are risks to the firm, then, of breaching a security, legal, or regulatory requirement. A cloud provider gives firms the ability to keep up with industry requirements and changing regulations or compliance.

International firms with global offices that deploy on-premises infrastructure face an even greater security challenge: They have to manage varying security and compliance requirements across multiple regions. That can be very costly, as keeping up with ever-changing requirements around the world will likely require global security resources to ensure that the system is both secure and always up to date. While cloud providers also face this challenge, they have the dedicated capability to do this at a global scale. Again, it comes back to cost, scale, and security: An individual firm or smaller international firm with an on-prem system is going to have a less robust security program and security team, and therefore be more vulnerable to attack.

5. Security assessments, audits, and certification processes

Technically, on-premises firms do not require certifications, audits, or assessments as they take on the risk themselves - but they should still conduct regular audits and obtain relevant certifications. Widely accepted certifications, such as ISO27000 series and SOC 1 and 2, apply to both on-prem and cloud infrastructure. CSA STAR - along with U.S.-specific certifications for SaaS providers, like State Ramp and Fed Ramp - are more cloud-focused.

Although not mandatory, these certifications indicate a stronger security position and are valued by clients - particularly state funds and state governments, which may require them.