Skip to content ↓ | Skip to navigation ↓

In my second vulnerability management blog post (part one here), I’ll focus on-premise vs.  cloud-based questions and try cover some the most common questions and concerns in these areas.

With every industry ‘moving to the cloud’, it should come as no surprise that many cloud-based vulnerability management solutions are readily available.  For most decision makers, one of the first questions they need to address when evaluating vulnerability management solutions comes down to cloud-based products vs. on-premise products.

If you’re looking for insight in how to evaluate the on-premise vs. cloud-based dilemma, it helps to dig into the business pros and cons of both.

Diversity Matters

Most companies begin deploying vulnerability management in their datacenter networks because the information these assets contain has the most strategic value to the business.  Once that deployment is completed, companies usually move on to the portion(s) of their networks that host public services followed by networks that include user end points.

Organizations with mature vulnerability management programs then consider deploying vulnerability management into ‘extended enterprise networks’ that includes branch offices, business partners, suppliers and supply chain components.

cloudThe reason this deployment pattern matters when you’re evaluating on-premise vs. cloud-based solutions is that the complexity and change rate of each of these networks can vary significantly. Most business networks are in constant flux so they need solutions that can keep up with the level of change they experience.

While both cloud-based and on-premise solutions can be effective in all phases of vulnerability management deployment, the assorted options of a cloud-based solution will tend to offer more diverse deployment options that better suit later phases.

Conversely, on-premise scanning solutions are typically better suited for static datacenter configurations or specialized air-gapped networks.

For example, assessing air-gapped networks create a configuration dilemma that often falls outside of the capabilities of a cloud-based solution.  For high value datacenter systems, most organizations want to assess these systems on a nearly continuous basis.

Sometimes the performance and SLAs of a cloud-based system aren’t responsive enough to be able to assess and respond quick enough to very frequent scans.

Here’s why:

If your business has numerous branch offices or a lot of smaller offices, then a cloud-based solution will generally offer a lower-cost of ownership and be less expensive to deploy, and configure and manage.

This assumes the networks in these offices in question are relatively static and on-site IT staff support is either extremely limited or unavailable, so if neither of these things are true for you, it would pay to do a more detailed analysis for key locations.

cloudBusinesses that offer publicly available services have a different set of requirements. They need to consider how their services will be scanned, both from an internal and external perspective.

For example, a business can assess public services with an in-house scanning solution, but the data may not represent externally facing portion of the network the public interacts with.

For these businesses, an on-premise only solution would require the business to purchase and setup  additional solution components that can do external scans.

Cloud-based solutions, where the solution provider scans from the vendor’s data center across the Internet, tend to be the best way to assess the external portion of the network and, for this portion of the networks, will typically require less overhead than an on-premise solution.

If your business has a need for PCI compliance, the cloud-based scan vendor might also be able to act as your ASV for quarterly external scans potentially simplifying some aspects of compliance, so that’s another factor to consider.

Is it Safe?

Perhaps the biggest concern for any company moving to the cloud is the relative security of their information.  Security experts tend to be fairly paranoid, and they have a natural fear of the unknown.

Since most security programs are built around the premise that they are in control of their data, it’s easy to see why this is an issue.  When you consider the nature of vulnerability management data and the potential impact of a breach of this information, full blown paranoia is completely understandable.

cloudThe good news is that most organizations already know how to evaluate cloud vendor security, even if they don’t realize it. This is because vetting the security controls of a cloud-based vulnerability management vendor shouldn’t be any different than vetting the security controls of other business partners or SaaS vendors.

Companies with a mature risk management program should already have a procedure in place to evaluate all vendors, and they should put all security vendors through their paces.

If your business doesn’t have a mature program yet, a basic starting place is to have the risk management team review the potential vendor’s security and compliance programs.  If you’re looking for a more basic starting point or need tips on how to vet a potential vendor start with our security basics checklist (Vendor Security Questionaire 11 13 12).

Show Me the Money

When it comes to the total cost of a vulnerability management solution, buyers should be sure to evaluate the total cost of ownership over at least three years. It takes more time but the first year ‘savings’ of cloud solutions can actually become more expensive than on-premise solutions when you add up all the costs over time.

cloudFor cloud-based solutions, business stakeholders may want to inquire about a solution that offers billing based on usage.

If this is an important aspect of your businesses network performance, then look for pricing that varies as the number of devices on target networks scale up and down.

On the other hand, variable cost models can also be difficult to predict. If you need rock solid cost forecasts then the fixed cost model of on-premise solutions may be more advantageous.

Finally, if your solution provider offers a hybrid cloud and on-premise option, consider both the steady yearly costs of the on-premise components as well as the variable costs of the cloud-based components over several years to understand the real cost of both deployments.

Hopefully, you’re starting to see that there is a lot of nuance to the cloud vs. on premise decisions in vulnerability management. Ultimately, these choices depend on your business objectives, the target networks you need to scan and the maturity of your vulnerability scanning program.

Deployment model decisions should be evaluated carefully in light of your unique priorities – there is no one-size-fits-all answer. Ultimately, most businesses will want to take advantage of both on-premise and cloud-based solutions because they address different important issues.

In future blog posts, we’ll discuss the importance of integrating vulnerability management tools with existing business tools and reporting practices because these factors also have an impact on deployment decisions.


Images courtesy of ShutterStock