Cloud-Based vs. On Prem Assets

Codecademy Team
Learn about the tradeoffs between cloud and on-prem assets.

What we’ll be learning

When an organization needs a new asset, like a server, they have a choice to make:

  • Do they purchase a physical server and install it on-premises, or “on-prem”, at one of their facilities?
  • Do they rent a cloud-based server from a hosting provider?

Both approaches are valid, but they have pros and cons in terms of cybersecurity. Today, we’ll look at the security concerns with both approaches that might factor into an organization’s decision on which approach to take.

So, which is better? Cloud-based or on-prem?

An image of a server and a cloud with boxing gloves getting ready to fight each other

The short answer

Both cloud-based and on-prem solutions are reasonably secure when configured properly. Cloud-based solutions move some of the responsibility for security away from the organization renting the cloud-based assets, and onto the organization providing the cloud services. In general, the service provider is responsible for ensuring the security of the cloud, and the organization renting the assets is responsible for the security of those assets.

For example, if an attacker compromises a cloud-hosting provider, and is able to access the virtual servers of their clients, that’s the provider’s fault. If the attacker is able to then steal a database of plaintext passwords from the virtual server, that’s the client’s fault.

For small organizations without the expertise or resources to properly support the infrastructure required by the assets they need, it might make more sense to go with a cloud-based solution, and move some of the responsibility for infrastructure and security elsewhere. On the other hand, large organizations with lots of resources and a large pool of expertise may feel they can do a better job of creating robust, secure infrastructure themselves, making on-prem the better option.

The long answer

Both approaches have security concerns, but not all of those concerns are equal for both approaches. Some security concerns may only pop up for one solution or the other.

Physical attacks

It’s awfully hard for an attacker to steal a physical server if there is no physical server. With on-prem solutions, an attacker can be fairly confident that there is a physical server to steal, and where that server is located.

Cloud-based systems don’t necessarily have the same issue. There is a saying “The Cloud is just someone else’s computer”, but the reality is more complicated. Virtual assets may be split among multiple physical computers, and those physical computers may not have a complete copy of the virtual asset.

Denial of service

DoS attacks on cloud-based assets can be more of a problem than for on-prem assets. If a physical server in the same building as you has been overwhelmed by traffic and needs to be reset, you can walk over to it and restart it. If a cloud-based server is in the same situation, it may not respond to restart commands, making the process more difficult.

An image showing a computer looking tired and overwhelmed as it's swarmed by lots of bugs. The bugs represent requests to the computer.

On the other hand, many cloud-based hosting providers offer DoS mitigation, which might make DoS attacks less of an issue than for on-prem assets.

Larger attack surfaces

Cloud-based assets may have a larger attack surface than on-prem assets. For example, if a cloud service provider is targeted by a threat actor, cloud-based assets hosted by that provider might get caught up in the attacks as well.

Trust

3rd-party vendors aren’t always honest about their services, and it’s not unheard of for cloud service providers to overstate their security. If your organization has excellent security practices, but a cloud service provider you use doesn’t, then the assets you have with that service provider could be at risk.

Conclusion

Both cloud-based and on-prem solutions have pros and cons, and both can be viable solutions from a security perspective. It’s important for organizations to consider the particular security impacts of a given approach, and decide how best to mitigate the approach’s weaknesses, whatever the approach may be.