When you’re dealing with physical security, safety and lives are at stake. So do you trust your most important data and applications to the cloud or should you self-host and attempt to protect it yourself? This may seem like a dated question, but it’s one we’ve seen clients wrestle with.
A couple of years ago, for example, we were talking with a potential client, a company in a government-regulated sector. At the time, Circadian Risk did not offer a self-hosted option, and the company felt that, because of their industry, they could not use the cloud. We contacted them again, six months later, when we had a new self-hosting option. They had news for us as well: they’d moved to a cloud-first policy.
This is the trend; cloud adoption is at 94% - an all time high. However, that leaves the other 6% of businesses. Those companies feel they need to self-host, often because they are in a regulated sector.
What is the best option for these organizations? Let’s take a look at each option and examine the pros and cons.
Self-hosting vs the cloud
Self-hosting is the practice of running and maintaining your own applications, data, sites, or services using a private server rather than a third party.
Cloud-hosted applications are hosted, run and maintained by a third party, often a SaaS (Subscription as a Service) vendor. The vendor is responsible for storing your data. They provide the application, maintenance, and storage as a service, and you pay a subscription fee for that service.
To think of it another way, the difference between hosted applications and the cloud is very much like the difference between home ownership and renting. You own a hosted app, and subscribe to a cloud-hosted app. Both have benefits and drawbacks.
Self-hosting: the pros and cons
When you own a house it’s yours. You control everything; you can paint it whatever color you want and do whatever you like with the landscaping. No landlord can tell you not to paint every room purple, or how to trim the hedge. However, there are some drawbacks to ownership: when the roof goes or the boiler gives out, it's no one’s problem but yours. You either have to fix it yourself or find someone who can.
It’s the same for self-hosted software. You own it, but that also means you own any problems you encounter.
Control: Organizations that choose self hosting often do so because it offers more control over how data is stored and managed. For a long time, the logic has been that your security is only as good as the security of your network. By self hosting, companies don’t have to trust the security of a third party.
Customization: Not all SaaS solutions offer the ability to completely customize their products. A self-hosted solution allows you to customize the solution however you want. Your team can tailor both the frontend and backend in whatever way works for you, without any input from the vendor.
Cost: Some companies believe self-hosting will be less expensive for both themselves and the vendor. After all, they’re doing all the work and the vendor doesn’t have to pay for storage — right? That’s not true: self-hosting is expensive. According to Github, the cost of a self-hosted solution is usually about 5.25 times greater than its cloud-based counterpart. In fact, self-hosting is expensive for everyone involved: the vendor has to spend a lot of time working with your team to set up the application on your server. You are likely to have to invest in more infrastructure, and in personnel to set up and manage the software.
Accessibility: Think back to before the cloud, back about 15 or 20 years. Remember what a hassle it was to access your workplace data from off-site? That’s because everyone was self-hosted back then. While things have improved a bit when it comes to logging into self-hosted solutions remotely, accessing self-hosted solutions and data from off-site can still be tricky. It can be a particular problem now, when so many people work remotely. (And unlike the workforce of 2004, today’s workers are used to being able to easily access information and applications without having to jump through hoops.)
Security: Self-hosted solutions have long been seen as much more secure than cloud-hosted solutions. The logic was that data is only secure as the network it’s on. These days that means that your network is the only thing standing in the path of increasingly-sophisticated cyber attacks. While large cloud providers like Amazon and Microsoft have the teams to combat those attacks, you may not. You also shoulder all the liability yourself; if you're self-hosting, you are the only one to blame if customer data is lost or corrupted.
The cloud: pros and cons
The cloud has come a long way in the past several years. In the past, moving to the cloud was eyed with concern by companies used to on-premise software and storage, but thanks to the rise of SaaS applications and the increase in remote work, the cloud has been embraced by most industries.
If self-hosting is like owning a home, the cloud is like renting. You may not own an application, but all the updates, maintenance, and security is handled for you. Also, depending on the service, you can customize it to meet your needs.
Cost: A SaaS solution is much more cost-effective than a hosted one, for several reasons. There’s the upfront costs (installation and onboarding is much more expensive than a subscription fee) and the cost of running and maintaining the solution. A SaaS is maintained, supported, and secured by the team associated with the vendor. If something breaks, you don’t have to bring in your own team to fix it. Additionally, you gain agility; you can downgrade or upgrade your subscription based on your needs.
Accessibility: Do you have a remote workforce? If so, it makes more sense to look into a SaaS. Most SaaS solutions are designed to be accessed remotely, which means it’s easy and secure for your people to access your app from off-site.
Security: In the past, self-hosted applications might have had the edge when it comes to security, but that’s no longer the case. Over the years, cloud solutions have become more secure; large cloud hosting organizations are better able to handle security demands than a smaller business. Companies have also realized that they can transfer liability for corrupted or lost data to those cloud providers. This provides some relief from the reputational and financial damage that comes along with a potential data breach.
Control: While most SaaS vendors give you plenty of control over your data, the fact remains that you don’t own a SaaS solution, and don’t necessarily have as much control as you would if you self-hosted. However, most companies don’t need that level of control. Additionally, most SaaS solutions will work with you to give you the level of control and customization that you require.
You must use the vendor’s security controls: You can’t implement your own security controls if you’re choosing a SaaS solution. It’s part of the package and the solution itself. However, you can often negotiate the security controls you need with the vendor. Anything you need can be written into your contract.
Connectivity: If your employees work in areas without wi-fi, accessing your SaaS solution can be a problem. This depends on the vendor, however. Some vendors (like Circadian Risk) offer a feature that allows team members to work offline. It’s important to ask about this ahead of time.
Can your organization move to the cloud?
The short answer is yes. No matter what your industry is, there are several options that should fit your organization and your industry. Some examples include storage solutions like cloud.gov and AWS GovCloud, as well as infrastructure-based solutions, like single tenant architecture.
If you think there is not a cloud option for you, you have likely not explored the choices that are available to you. Fortunately, a good vendor can help guide you through those choices.
Want to learn more? Follow the Circadian Risk blog for more safety and security tips and information.