In my career, I’ve led development teams creating both software as a service (SaaS) and installable on-premise solutions, so I am familiar with debates about the realities and myths of SaaS vs. on-premise. Whenever this debate resurfaces, I address the concerns raised as I would any operational initiative: by asking questions and challenging assumptions.
SaaS: “Software as a Service,” a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted and maintained.
On-Premise: is software that is installed and runs on computers on the premises of the person or organization using the software, rather than at a remote third party facility such as a cloud provider.
We created RADAR to be a cloud-based SaaS offering because of direct and industry experiences that prove doing so lowers cost of entry, reduces time to deliver value to our customers, allows rapid prototyping, makes it easier to scale vertically and horizontally, and allows a “work anywhere” model using just a regular web browser without additional software installation. This means as a solution provider we can release bug fixes, new features, and security patches quickly (daily if needed) to ensure all our customers are up to date.
Below are some of the questions you should be asking when considering SaaS vs. on-premise solutions for your organization, especially if your culture is resistant to adopting SaaS software.
Is your company ready to invest the needed money and resources to manage all IT aspects of on-premise solutions including: provisioning, installing, monitoring, backups, disaster recovery, updating and configuring the required hardware & software?
On-premise solutions may be fine for your company if your IT department is geared to do so but for many (if not most) companies this requires a lot of planning which means delays, often measured in months. Unfortunately, your needs are just one of many requests being made on an often already overloaded department. A SaaS vendor takes care of all these infrastructure risks to ensure high availability and disaster recovery.
When compared to the total cost of ownership (TCO), a cloud-based SaaS solution helps businesses avoid these capital costs for acquiring and hosting the solution, as well as the ongoing IT costs to manage it.
“CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly and reliably leverage the benefits of this increasingly ubiquitous computing model.”
- Gartner Report “Clouds are Secure: Are you Using Them Securely?”
Is your IT department or corporate culture insisting on solutions that are on-premise because of security concerns?
While an on-premise solution does keep your business’s sensitive data within your own firewall, protected according to your own security policies, this doesn’t mean it is more secure.
With solutions built upon high-end cloud providers such as Microsoft Azure or Amazon Web Services (AWS)—that have been audited against multiple frameworks such as CSA, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, SOC 1, SOC 2, and SOC 3—SaaS systems are highly secure with expert supervision of physical, network and server security. This kind of focus and expertise is very difficult to replicate in your company’s own IT or data center offering.
Catch Andrew's upcoming session at IAPP's Privacy. Security. Risk. 2017: SOC2 Certification: How We Got There and What We've Learned.
However, a SaaS vendor does have a shared security responsibility with both their customer and the cloud provider. This relates to the difference between the “Security of the Cloud” (the physical infrastructure) versus “Security in the Cloud” (the software and configurations running on top of the physical).
When looking for a SaaS vendor make sure they have good security controls in place and have been audited by a reputable 3rd party auditor against a security framework such as SOC 2 Type II + HITRUST CSF or similar audit controls to ensure your data is protected.
How are you ensuring that the solution is updated in a timely manner with minimal impact?
When it comes to keeping solutions up to date, I often describe this challenge as gathering the herd. When you herd cattle, your goal is to keep the herd together and reasonably moving in the same direction. Some will be with the herd, some will lag behind but you do not want them strung out off the trail as there are limited resources to keep them all in line. Now consider the herd as users and whether they’re up to date on regular or highly sensitive security updates. Your company is only as secure as the laggards in the herd. With SaaS solutions, when a security patch is deployed the whole herd is together.
Updates are often much more challenging for on-premise solutions. For example, a recent Wall Street Journal article noted most IT staff aren’t able to even install standard OS and application security patches quickly enough to prevent ransomware attacks that are becoming increasingly common—an issue that contributed to the recent Wannacry attack.
A SaaS solution for incident response avoids the high potential risks and costs of non-compliance because the SaaS vendor is able to update centrally (often with no perceivable downtime). RADAR, for example, automatically monitors and applies critical patches and also keeps our regulatory legal engine up to date so you are ready to risk assess the day the law becomes effective. Regulatory requirements change constantly, so incident response support requires near real-time updates. Your company cannot afford delays, because missing a notification deadline—72 hours in some cases—can incur large regulatory fines or settlements.
If you are relying on your IT department for this, take a number and wait.
Can your on-premise solution quickly scale?
SaaS solutions are able to scale to the load as needed. As your use of a platform grows, the hardware costs that you might incur if you were maintaining the platform on-premise (server capacity, software licenses, etc) are handled by the SaaS vendor, not your IT department. The cost of entry into licensing and setting up a SaaS solution is typically much lower (less time to implement, fewer resources required), and each subsequent upgrade to the platform is offered seamlessly and automatically, meaning your organization can be putting the platform to use right away, reducing the amount of time it takes to receive the benefits.
With scalability comes another benefit of SaaS for incident response: freeing up time and resources so teams can focus on core business needs first. The IT staff can concentrate on the security of strategic business systems and core business data. Privacy, security, and compliance staff can concentrate on continuously improving privacy and security policies and practices, and risk managers can focus on governing for the changing business environment rather than worrying about the changing regulatory environment.
Prioritize Strategic Initiatives, Boost Security Concerns, and Retain Scalability with SaaS for Incident Response
Compliant incident response depends on up-to-date regulatory information, most in-house IT already struggles to manage routine on-premise software updates, and missing notification deadlines in the case of a data breach can incur huge regulatory costs and possibly other costs from damaged reputation and litigation.
On the other hand, a cloud-based SaaS solution such as RADAR ensures quick, timely updates to decision-support rules. Users have instant access to an expert knowledge base maintained by dedicated regulatory specialists. This real-time information can also feed into your organization to establish benchmarking metrics for your privacy program, using reporting and trends to identify areas for continuous improvement.
A SaaS solution for incident response is a win for the efficiency of your staff, the privacy of your customers, and for your bottom line. As you evaluate your options, consider these questions about the nature of the problem you’re trying to solve.