ITSM Security: Are On-Premise Solutions Really More Secure?

Be honest, IT Service Management has caused you more than a few ITSM Security related headaches over the years.

And you’re not alone. Even when everything goes right, there are just so many decisions to make and hurdles to overcome when implementing and maintaining an ITSM solution.
And in recent years, yet another layer of complexity has been added. Should you host your ITSM software on-premise… or rely on a vendor to host it for you?

On the one hand, ITSM vendors and their SaaS partners are often better positioned to host your solution in a cost-effective manner… But on the other hand, can they really be trusted with ITSM security, keeping your precious data secure?


Why Common Wisdom Doesn’t Tell the Whole Story

To shed some light on the historic SaaS vs on-premise debate, back in 2017 the SDI ran a ‘Business Case for SaaS’ survey for Sunrise, researching a large group of service desk professionals, who were spread across the public and private sectors in organisations of all sizes.

The first question we asked: How is your current ITSM tool delivered?
Interestingly, the responses to this question yielded a very even split, with 51% of respondents’ ITSM tools hosted via cloud, SaaS, or Hybrid, and 49% hosted on-premise. And while it’s certainly useful to know how the market lies, this even split also enabled us to collect a balanced set of responses to other, more divisive questions.

For instance, respondents with on-premise solutions were asked to name the single most significant factor that led them to select that path. In first place, with 31 percent of all responses, was security.

ITSM security
ITSM security

But when respondents with SaaS solutions were asked the same question, ITSM security came in a poor fourth place with just 11 percent of responses.

And the SaaS security concerns didn’t stop there. When asked what challenges they had faced, 20 percent of SaaS users listed security, compared to zero percent of on-premise users. At a time when new high-profile data breaches are hitting the headlines almost weekly, these responses look pretty bad for SaaS advocates.

Now, if you’ve given some consideration to implementing a SaaS ITSM solution in the past, these responses are probably consistent with your expectations. After all, everybody knows security is an issue for SaaS solutions, so it shouldn’t come as a surprise… right?

Well, here’s the thing. The responses to our survey are great for determining the perceived security differences between on-premise and SaaS, but they don’t tell the whole story. Simply put, just because a majority of service desk professionals appear to think SaaS security is weaker than on-premise security, that doesn’t make it true.

To get a better understanding of exactly why this issue might be more complex than it initially seems, let’s take a look at some of the factors that influence ITSM security.

The Control Paradox

If you’ve been in the service desk game for a while, I shouldn’t need to tell you that security regulations and compliance frameworks have tightened up significantly in recent years. And now that regulatory bodies have finally started to find their teeth, it’s really not a good time to skimp on IT security.

No surprise, then, that in the years we’ve been offering a SaaS ITSM service, we’ve seen the average ITSM security requirements document increase from a few lines to a few pages in length.

But here’s the thing. In many cases, these organisations are looking to move away from an existing on-premise solution. Why? Because they simply can’t achieve a high enough level of security on-premise without the need for a prohibitive level of investment.

ITSM security

And on closer inspection, other areas of our survey seem to backup the hypothesis that while it certainly is possible to implement a highly secure on-premise ITSM solution, there are some major cost implications. We asked on-premise users to list their top challenges, and I don’t think you’ll be surprised by their responses.

Over half listed either internalised development cost or greater initial investment as their single greatest ITSM challenge. I think it’s fair to say security plays a significant role in both of these financial challenges.

After all, security is far from a simple endeavour. In order to feel confident in the security of an on-premise ITSM solution, you’d need to invest not only in the latest server architecture and modern security products, but also in a consistent vulnerability and patch management program, regular off-site backups, disaster recovery, business continuity arrangements, and all sorts of other considerations.

And money isn’t the only concern with on-premise security, either. While SaaS vendors can typically utilise economies of scale to adapt fairly easily to changes in legislation, individual organisations don’t fare so well.

At the outset of an on-premise solution, as well as any time there is a major change in security legislation, you may well find that acquiring and implementing the necessary infrastructure is a slow and arduous process.


Control Does Not Equal Responsibility

At this point, you might be starting to suspect that I have a vested interest in talking up the benefits of SaaS ITSM.

Not at all. At Sunrise, we offer both SaaS Cloud ITSM and on-premise ITSM solutions, so there’s really no incentive to distort the facts.

In the interests of fairness, though, I should point out that there’s at least one major point to remember when deciding whether to host your ITSM solution on-premise or in the cloud: Responsibility.

You can outsource control of your ITSM solution and dataset, but you can’t outsource your legal responsibility to ensure it’s hosted according to the applicable legal and compliance frameworks.

Now yes, as I’ve already explained, cloud service providers like IBM Cloud do usually offer a higher level of security than the average organisation can provide in-house. But with that said, you need to be completely sure that a prospective vendor can deliver on their promises before signing on the dotted line.

Because if they can’t, and something goes wrong… It’ll be on you.


Which is Right For Me?

First of all, before I draw any sweeping conclusions from the results of our survey, I’d like to point out that everything I’ve written here is exclusively on the subject of security. There are all sorts of pros and cons to both on-premise and SaaS solutions, and we’ll be covering some of the main areas through further blog posts in the coming weeks.

But when it comes to ITSM security, I can’t help feeling that common wisdom has a lot of catching up to do.

Now, it may well have been true five years ago that SaaS security was something of a concern. But with the constant influx of new legislation and increasingly irate regulatory bodies, the truth is that SaaS providers are far better positioned than the average organisation to respond quickly and efficiently to new requirements.

Not only that, since SaaS providers are working at far greater scale than all but the largest of enterprises, they’re also able to offer prohibitive security standards at far less cost than an individual organisation.

So before you discount SaaS ITSM, make sure you take the time to compare the cost and security of each option thoroughly. If your organisation already has strong security protocols in place, it might well make sense to host your ITSM solution on-premise…

…but don’t assume anything. I think you might be surprised.