Is SaaS cloud hosting more secure than traditional on-premise setups?

[Dorian]

We are debating moving our infrastructure. Does anyone have experience with the security trade-offs when migrating to a cloud-based software service?

 

[rextonova]

It all depends on the Shared Responsibility Model. When in SaaS cloud hosting, your physical security is managed by the provider, as is the patching of the underlying infrastructure: However, you are in charge of your data and access controls. When used with a small team, you would be safer in the cloud since you are not likely to patch your home servers as quickly as a billion-dollar data center.

 

[Ethan]

O, yes, since transferring your data to the computer of another person is never the most secure thing to do. I would have guessed that such huge targets do not draw hackers. It is hands down far safer to give away the keys to your kingdom and simply wish that when your database fails at 3:00 AM, their support ticket system will be operational.

 

[Santino]

Compliance-wise, the majority of enterprise tier SaaS vendors are certified under such schemes as SOC2 Type II, ISO 27001 and HIPAA compliance which most small to medium on-premises deployments cannot possibly afford to sustain. You are not merely purchasing hosting you are purchasing their whole security and audit system, which drastically limits your legal responsibility in case of an intrusion.

 

[akirasato]

Unless you literally have a moat and a 24-hour armed guard outside your server room, the cloud is physically more secure. Previously, I had been employed in a facility where the server room was a broom closet, which was always left unlocked, and somebody once unplugged the main rack plugging in a vacuum cleaner. You do not get such a type of innovation with SaaS.

 

[rashidfarouq]

The actual security threat is not the cloud, but it is the migration process. During the transition, people are likely to leave open S3 buckets or improperly set up their IAM roles since they are accustomed to the firewall-around-the-building approach. Going to the cloud without educating the personnel about the Zero Trust architecture will be creating a faster route to the honeynet.

 

[lucienvaros]

Honestly, just do it. The apparent control that you believe on-premise to have, is largely an illusion. In case of a zero-day exploit release, the cloud providers would have a patch before you complete reading the news notification.

 

[marikobentari]

Our switch last year was the most significant trade-off, which was not the technical security, but the visibility. You also lose the ability to sniff packets at the hardware level which is sometimes pure torture as far as troubleshooting is concerned. Nonetheless, the automated backups and geo-redundancy ensure that we have not lost even a second of data since the move and that is in itself is security.

 

[alessioravonni]

I would leap at the earliest opportunity the first major regional outage to strike your provider and put your whole company on their hands eight hours. It is secure all right, but is it available? On-premise refers to whether the internet has gone off or not, I can still access my local files. No business in the SaaS world is without an internet. Knows how to sleep thinking about that!

 

[polarisynth]

You need to consider the possibility of a mass event as against a targeted event. On-premise leaves you a smaller target but somebody can more easily crack you. SaaS has you as a member of a giant target, but the armour is far, far more dense. The thick armor prevails in most cases to most businesses.

 

[zafir]

Is it possible to discuss the issue of the so-called shadow IT? Your workers will begin to incorporate third-party applications into your ecosystem unrequested the minute you become SaaS. At least the on-premise had everything passing through a central gateway. The trade-off in security here is that you are trading maintenance of your servers with the continual headache of checking API permissions of third parties.