Cloud vs. On-Premises IAM: 8 Cs of Identity and Access Management
June 15, 2023
By: Craig Smikle – 13 min read
A secure, robust, and effective identity and access management system is one of the most important investments an organization can make. A common question often asked is, “Should these systems be deployed on-premises, or in the cloud?” In this article, we will explore the pros and cons of each option.
Introduction
Identity and access management (IAM) is a cybersecurity discipline involving a set of policies, business processes, and technologies for managing identities. It ensures that the right users and devices have appropriate access to necessary resources. It is a crucial component of any organization’s business and operational strategy.
Depending on your specific needs, an IAM solution can be deployed either on-premises, or in the cloud. Each of these scenarios comes with certain advantages or tradeoffs that need to be considered. “On-premises” systems are those hosted within the organization’s own infrastructure, whereas a cloud deployment means that the resources (i.e., software, servers, data, etc.) are accessed as services delivered over the internet. Cloud IAM would be provided by third-party vendors, typically in a subscription model, with offerings often referred to as Identity-as-a-service (IDaaS).
A business may be faced with this choice of on-premises vs the cloud whether they’re starting without any defined identity and access management, or have a rudimentary or incomplete system that needs to be expanded, or they may even be a mature large enterprise with a well-established legacy setup that requires modernization. In all cases, their existing makeup is a significant factor when formulating requirements for an IAM investment.
If keeping or developing an on-premises identity and access management system, an organization will own and be responsible for all aspects of the solution, from design to deployment, maintenance, and improvements, hosted and usually accessed within their network, in their own datacenters. Pursuing a cloud-hosted solution on the other hand, means entrusting these functions entirely to a third party as a paying consumer. So, which is ideal: the power and privacy associated with on-premises systems, or the agile accessibility of the cloud?
We’ll explore this question by looking at what I’ll call the “Core Central Concerns Considered by Companies Choosing Cloud Cybersecurity” or simply, “the 8 Cs” (then no more alliteration after this). They are:
Control vs Constraints
One of the main advantages of keeping your IAM on-premises is the complete control it gives you over your security. You have full authority, visibility, and flexibility over your infrastructure, software, processes and data. Though you may purchase third-party products and support for your on-premises system rather than developing it all on your own, you are free to choose the software, hardware, vendors and licensing best suited for your needs. You can opt for configurations that might not be allowed by the cloud provider. As a consumer you are restricted to whatever permissions are offered by the provider, and limited by constraints inherent to shared hosted solutions.
Customization vs Consistency
This of course severely limits your ability to customize the offering and its functionality as you see fit. Because a cloud provider offers the same product to multiple customers, who even share the same computing resources, it isn’t very feasible to offer a significantly different experience for each customer. Their ability to scale the solution for mass use requires a fair amount of uniformity and consistency in the product. This does mean though that by using these services you can be assured that your IAM solution is consistent with standards in use by others.
Cloud IAM companies often do offer methods of customization for your tenant such as in branding, though this will be relatively limited. You will also have the option to select from a menu of packages and features per your budget and requirements, so it is not purely one size fits all. However, the nature of shared hosted software-as-a-service requires a somewhat standardized offering for all consumers. In contrast, with control and ownership of your own on-premises systems, you have the ability to fine tune all aspects to your company’s specific requirements, whether to fit your unique business processes and workflows or to integrate your IAM with existing custom applications, systems, data sources, or data formats.
Compliance & Confidentiality
Compliance with varied standards, policies, and regulations is a critical and often non-negotiable requirement for any business. This is especially true in the case of IAM, where many dominant standards place heavy importance on topics such as data access control, privacy, and protecting identities. Examples include SOX and GBLA for financial institutions, PCI for payments, HIPAA for healthcare, and FERPA for education. They all share goals for reducing risk by regulating access to records, especially of identifying information.
One good thing about using a vendor who specializes in identity and access management is that it’s a key part of their business to stay abreast of many of these regulations and to make sure that their products are compliant. As new standards arrive, they are able to update their product, which in the case of the cloud would then be effective for all customers. At the same time, an IAM vendor can only make technical features available. It is still the responsibility of the customer, i.e., the actual financial, healthcare or educational institution, to enact and execute the appropriate businesses policies, processes and practices to remain compliant with these regulations. In some cases, adherence to a particular standard may not even be possible under the constraints of a cloud model, and the organization may require a customized on-premises solution.
With data access restrictions being a core component of most standards, there are also some strict cases where storing data on third-party servers is just not an option and it must be kept on-premises. Even when not trying to comply with a specific external standard, for many companies it may be of utmost importance that their sensitive data resides within and is accessible only from their own network, and no third party has the possibility of gaining access. On-premises IAM guarantees that data is confidential to the organization and its employees.
There is also the matter of data residency, which refers to where data can geographically be stored. Data will be subject to laws by the country or state in which it is either originated or stored, and companies will often face restrictions on data residency in order to do business in that location. When using a cloud provider, you have far less control about where your data is stored and usually no way to verify its physical location. This is an important consideration if you need to follow rules related to where your data is or comes from.
That said, companies doing business in multiple locales will find themselves having to stay compliant with many different regulations, and it can be hard to keep track of them all. For instance, data privacy laws like CCPA (California) and GDPR (Europe) have rules and protections that apply everywhere. A good cloud solution can assist by offering tools that cover scenarios for users from every location.
Competency & Competition
For most companies, IAM is not central to their business in that it is not a direct source of revenue. For those that do have this focus, they are incentivized to keep up with all the standards, rules, and innovations that arise within the field. They can make large investments into research and development of these features, expecting it to pay off in dividends. With a core competency in IAM, they can even attract and pool top talent to achieve best-in-class implementations. In contrast, other companies may find it more difficult to dedicate comparable resources toward a fully realized and robust IAM system. Even when deploying packaged software on-premises from established IAM vendors, it often requires a skillset not found in-house, and external services are needed. When using the cloud, experts in the chosen IAM product are automatically the ones handling the deployment for you.
A core competency refers to those skills, resources and capabilities that make up your defining strength, giving a competitive advantage and allowing you to stand out from others. To remain competitive and attract or retain customers, cloud vendors are motivated to remain on the cutting edge and constantly improve their offering. Trends show that they’ve found it easier and faster to roll out these improvements in cloud-hosted applications rather than traditional packaged on-premises software, which is becoming more and more seen as “legacy” compared to the newer fast-moving entrants.
That said, it is very possible to find that deploying your own custom IAM solution with a private implementation over which you have full control, can provide the competitive advantage for your own company. A third-party offering that’s the same for all customers may not be superior to something crafted in-home specific to your own business and workflows. Identity and access management is so key to so many business activities that creating features or processes that uniquely complement your organization can result in a standout defining strength.
Complexity & Convenience
Proper identity and access management is not a trivial undertaking. Achieving an effective setup in something as crucial as cybersecurity, while covering everything needed to address compliance issues, can be incredibly complex. This is why the use of a cloud vendor that is dedicated to IAM as their core business can be very attractive, allowing your organization to be a simple consumer of these services. This can be very convenient for companies with standard uncomplicated IAM needs. As a matter of fact, many of the capabilities required to respond to modern security trends are highly complicated or cumbersome for an individual organization to maintain, such as multifactor authentication (MFA) requiring SMS or push notification systems, or biometrics and FIDO (Fast Identity Online) for passwordless authentication. It is usually far easier to let a cloud vendor provide these.
In other cases though, a customer may have specific requirements for their organization that due to the limited customization of the cloud, may prove even more complex to integrate with their existing applications or systems. Deploying an on-premises solution could be the simpler, more convenient option in such instances.
Another vastly common scenario is that most companies have some existing traditional or legacy IAM system that they are considering moving to the cloud. Depending on how expansive these systems are, or how much automation is in use, or how embedded it is with on-premises applications and workflows, it can be overwhelmingly complex to migrate these to the cloud or to even adapt a cloud solution to integrate with your various on-premises applications. In such situations, it may be more convenient to upgrade these systems on-premises.
Costs & Capital
Arguably the foremost concern for most organizations is the question of what upfront capital and ongoing costs are required to deploy and maintain an effective IAM solution. An on-premises solution built or deployed from scratch will require at least a much larger immediate cost, and then will require on-going resources, skilled IT talent, and possible licensing fees to maintain. As discussed, the inherent complexity of robust IAM and the on-going vigilance required to maintain compliance with various regulations only amplifies the amount needed to do it right.
Cloud solutions, rather than a huge initial investment, will charge ongoing monthly or annual subscription fees. This provides an advantage by allowing a certain predictability in budgeting or accounting. At the same time, customer organizations have no control over those fees (past the duration of a contract) and are subject to any future increases at the whim of the provider. With vulnerability to vendor lock-in due to the inconvenience of switching cloud providers, this can be a concern. For some, it is even possible for the total cost of ownership (TCO) of the cloud (with its perpetual subscription fees) to end up higher than an upfront cost of on-premises if spread over the system’s entire lifecycle.
Even so, it should be simpler to quantify or estimate funding for IAM when subscribing to a cloud service, when compared to calculating the costs to hire talent, develop applications and fulfill various on-premises software licensing models. Overall, for most typical organizations it is normal for cloud IAM to cost less than maintaining your own on-premises solution. This is especially true since IAM-focused cloud vendors are able to defray or spread the costs of their investments over their entire customer base.
Connectivity & Collaboration
A large benefit of deploying your IAM systems on-premises within your network is the ability to be sure all devices can communicate with no lag or latency, and limit external bandwidth costs. Keeping your data within the network perimeter, instead of accessed over the internet, also enhances security by reducing your attack surface. However, there are new realities within the modern workplace that render a strict network perimeter barrier not as feasible as it once was. For one, the modern workforce is distributed; remote work is commonplace, and not only are employees spread geographically but they even move from place to place and expect to be able to continue working at all times. This trend also includes increasing use of personal BYOD (bring your own device) and mobile devices (vs PCs and work-issued devices) that may not be connected to your network at all.
Additionally, the applications used by the average modern employee are more and more comprised of cloud-hosted SaaS and other publicly available applications, no longer limited to those developed in-house and only accessible on the network. Everything from office software to project management, ticketing systems, ERP and a myriad of other software examples may already be in use as cloud-delivered services at your organization. When so many applications are in the cloud, even an on-premises IAM solution has to contend with integrating all of these tools in a secure manner with on-premises enterprise systems. Cloud-hosted IAM is usually a very effective way of integrating these varied SaaS applications, due to the focus on industry federation standards for interoperation such as SAML and OIDC, and often with pre-built templates and integrations for known applications.
Most importantly they simplify access for a remote workforce, meeting them wherever they are at any location on any device, while still implementing your organization’s rules and policies for access control. They can even be a solution to lag and latency, not only because they may have multiple data centers in different regions allowing them to be close to where your users are, but also often have content-delivery-networks (CDNS) for serving cached assets from the edge.
This all doesn’t just apply to your workforce; identity and access management is also important for your customers, which amplifies the stated challenges around geographic distribution, personal devices, and public application integration. Connecting all these external customers, employees and partner applications with your own on-premises systems requires additional investment and complexity around network infrastructure such as load balancers and switches. Relying on a cloud IAM system can make this aspect much easier.
Confidence & Contingencies
Due to the criticality of cybersecurity, another frequent concern is what are the worst-case scenarios that can occur, and what are the contingencies that can be included in your IAM solution to deal with these? For example: can users still access applications in the case of a network interruption from your ISP? When servers go down or are lost, is data lost with them or is there disaster recovery available? How devastating is a security breach by a bad actor?
Dependence on the cloud means that when something goes wrong, you lose functionality with no direct means to address it, which can be quite frustrating as you’re forced to open a support ticket and wait for a resolution. You do not have the ability to design your own disaster recovery (DR) and will have limited visibility into what’s even gone wrong.
On the other hand, for some companies it is a relief to entrust issues like reliability and DR to a cloud provider, opting for the peace of mind of not being responsible for these. For one, many cloud systems are distributed geographically, with failover and disaster recovery built in. They often guarantee a high percentage of uptime, more than the organization might be able to deliver themselves. However, it’s never 100 percent, and it is not uncommon to hear of public clouds going down and taking businesses down with them for extended periods. So bear this in mind as you weigh your comfort with and confidence in each option.
As for breaches, this is the largest concern of any IAM team that wants to stay out of the news. An on-premises solution reduces your attack surface, both by keeping data behind firewalls as well as the fact that the shared cloud product could be breached at a level unrelated to your organization, possibly by persons with superuser access that never even have to come in contact with any of your employees. For example, a highly publicized data breach of a cloud IAM provider in 2022 was attributed to the compromise of a third-party support engineer working for a subcontractor. With a well-designed cloud integration though, a breach in the IAM product shouldn’t grant access to the company’s most sensitive systems, especially if privileged vaults and secrets are kept on-premises.
What is important for an organization in the aftermath of such crises is full visibility into logs, records, and systems which would allow an administrator to perform the necessary audits or troubleshooting required to find and rectify the issue, enabled by comprehensive monitoring. This kind of access may only be possible on-premises and can be quite frustrating when dependent on a cloud provider. That said, cloud vendors often do offer impressive reporting capabilities, even if limited to the activities that happen inside their product.
Comparison
| On-Premises | Cloud |
| Complete control over configuration | Constrained to limited permissions |
| Customize uniquely as needed | Consistent for all customers |
| Confidentiality, privacy, residency of data | Compliance with changing regional standards |
| Can add competitive edge in some cases | Core competency, central to their business |
| Complex, but maybe less than migrating | Conveniently hidden complexity |
| More upfront capital, but choice/control | Consistent predictable subscription costs |
| Communication over a closed network. Harder to enable external collaboration | Connecting workers, consumers regardless of device or location |
| Confidently prepare for, investigate and respond to crises | Contingencies built in for resistance to failure |
Conclusion
I hope this has shed some light on the tradeoffs involved in the consideration of cloud vs on-premises identity and access management. As you have probably been able to tell, there is no one true answer to which is the better choice for an organization, as it completely depends on individual requirements and needs as well as the company’s resources, existing applications, and more. However, trends do indicate that for the average business, the cloud affords a robust and effective IAM solution for a more predictable and possibly lower cost than trying to implement a full IAM solution on-premises.
That said, our recommendation for most companies would actually be to go with a hybrid solution. Combining on-premises and cloud components offers the maximum flexibility and diversity of features, while allowing you to balance what concerns are most important for your own compliance requirements and access needs. For the typical organization that would have a legacy on-premises solution in place and is looking to modernize, hybrid IAM offers a phased approach where individual components can be moved to the cloud when and as appropriate. For example, an on-premises user directory can be used as an identity source for a cloud hosted authorization server and catalog of federated applications.
In my role as a Security Engineer at Prolifics, I’ve been able to support organizations with cloud, on-premises and hybrid deployments, as well as migrations in-between them all. If you have any questions on the topic or would like to share your own experience, we’d be glad to hear from you.
Craig is a senior Security/IAM engineer and consultant with more than 15 years of experience in IT, including backgrounds in programming, DevOps, and system administration, and over seven years of extensive experience in identity and access management.He has worked with industry-leading IAM solutions such as Okta, RSA, and IBM Security Verify, as well as middleware such as IBM WebSphere and MobileFirst. He is also experienced in scripting and application development with a wide variety of languages and tools.