Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Making the case to leave on-prem for better security

By Aviad Hasnis
on-prem-server-freepik.jpg
October 4, 2021

On-premises infrastructure has long been considered safer and more securable than its cloud counterpart. An increase in cyberattacks on on-premises systems is challenging this surety. 

 

There are advantages and disadvantages of on-premises and cloud-based IT infrastructure. On-premises IT infrastructure can allow for more granular control of security configuration and ongoing management, but maintenance of on-prem systems requires more involvement than provider-maintained cloud-based IT. 

 

On the one hand, vulnerabilities in on-premises systems can be assigned a Common Vulnerabilities and Exposures (CVE) categorization, and a procession of patches and updates will follow. On the other hand, such a clearly indexed catalog of flaws increases the discoverability and exploitability of these vulnerabilities for cybercriminals. 

 

Despite greater granularity and helpful CVEs, remaining current on security patches and updates is particularly challenging for security operations (SecOps) teams amidst today’s reported shortage of cybersecurity staff. This heavily involved upkeep — updates, patches, security posture monitoring — is why on-premises systems are harder to keep secure and why they’re more popular targets for cybercriminals to breach.

 

Cloud flaws often are not categorized with a CVE, so criminals have more difficulty identifying and exploiting cloud vulnerabilities. Additionally, security for cloud-based infrastructure requires less involvement from SecOps functions than on-premises security maintenance, as much of the upkeep and security updates are maintained by the cloud provider.

 

Due to the nature of shared security responsibilities with a provider and the subsequent lighter upkeep needs, software as a service (SaaS) is proving to be more securable than on-premises configurations. However, it is imperative that SecOps leaders are hyper-aware of the consequences of taking the automatically updated security of cloud-based systems for granted. SaaS is not inherently safer from the get-go — it must be correctly configured, operated and maintained. Misconfigured (or worse yet, under-configured) SaaS environments are as vulnerable as outdated on-premises systems, and a cloud breach has more potential for widespread data exfiltration than a breach of on-premises systems. A cloud breach can compromise data from multiple customers who are using the specific service, for example, whereas in on-premises infrastructure, a data breach will likely expose data from only a single organization.


Increasing attacks against on-premises systems

As the walls and defenses around cybersecurity are built higher and bolstered, craftily engineered advanced persistent attacks against on-prem systems such as the 2020 SolarWinds and 2021 Kaseya events will become a trend.

 

In December 2020, SolarWinds discovered that nation-state threat actors had placed a backdoor in software updates for the vendor’s Orion platform. As SolarWinds pushed out the updates to thousands of customers, the hackers exploited the backdoors to breach high-value targets, including large tech firms, service providers and U.S. government agencies. The threat actors’ toolkit included tactics to use administrative permissions acquired via on-prem compromises to forge trusted tokens and impersonate existing users and accounts. 

 

In July 2021, Kaseya’s on-premises appliances were the target of a sophisticated supply chain attack. While the vendor was working on a patch for a vulnerability that had been flagged to them back in April, a ransomware gang exploited the flaw. Though Kaseya shut down their own cloud and advised customers to power off their on-premises Kaseya VSA servers, about 60 of their managed service provider (MSP) customers’ on-prem servers were also infected, leading to up to 1,500 downstream infections. 

 

Supply chain attacks, and persistent ones, are attractive to threat actors because they’re silent, and victims never know where and when the attack lands. Such an attack can be ongoing for an extended period before a security team detects it, just as in the SolarWinds breach, which was instigated as early as September 2019 and discovered in December 2020. 

 

Where does this leave security leaders at small- and mid-sized businesses? Decision-makers and leaders would do well to pursue the more secure, cloud-based infrastructure and to ensure their security posture is healthy, particularly their SaaS security posture. 


Proceed with cloud caution: Do not set it and forget it 

Many organizations have embraced cloud-based infrastructure and readily adopted a SaaS model. Unfortunately, many businesses also tend to outsource as much of their security operations as possible and hope for the best.

 

CISOs and leaders of small security teams, however, must not get too comfortable once they have outsourced their infrastructure or operations. Any certainty or assuredness that manifests from outsourcing security or pivoting from on-prem to SaaS must be curbed. Rather than bask in the perceived safety of managed services and cloud-based infrastructure, SecOps leaders need to embrace tools, approaches and tactics to ensure their security in a SaaS and hybrid environment. 

 

The security posture of every organization is measured by its weakest link, so if a single vulnerability or point of failure coexists with a buttoned-up SaaS environment, a rich portfolio of cybersecurity tools, vendors and services, and all the top-rated managed security services on the market will fall short. 

 

For example, the pandemic-induced global dispersal of workforces into remote locations has increased the use of both company-issued and personal mobile and handheld devices for work purposes. There are more handheld endpoints than ever, which complicates and convolutes the figurative security perimeter. 

 

Routine check-ups of the organization’s security posture are mandatory. Finding any security gaps — in the organization’s IT assets, from SaaS applications, data pipelines, services and networks to code repositories, appliances, company-issued endpoints and personal mobile devices — is critical to ensure that vulnerabilities are known and SaaS security is watertight. 

 

Enlisting MSPs and managed security service providers (MSSPs) is a resourceful tack for organizations of all sizes, especially for small- and mid-sized businesses or short-staffed IT or security functions. MSPs and MSSPs are generally more aware of cyber hazards than the typical organization, and they are quicker to both detect and act when events occur. However, when security leaders outsource some security operations to a service provider, it’s critical not to entrust them with permissions to the entire IT infrastructure. No service provider should ever be granted all permissions. If the headline-topping supply chain attacks this year were any indication, it’s evident that mid-sized businesses are vulnerable to the damaging downstream impacts of large-scale supply chain attacks that affect their service providers. If an SMB’s service provider suffers a cyberattack or is breached, and that MSSP or MSP has credentials to that SMBs entire environment, then that SMB’s systems are also compromised. 

 

SecOps, by policy, must only grant relevant permissions to what’s necessary for a service provider to do their job. 

 

At this point, a zero-trust model is non-negotiable, especially given the proliferation of supply chain attacks and the use of personal mobile devices for work purposes throughout the course of the pandemic. A zero-trust approach to security is not a panacea, though, and SecOps leaders cannot take a set it and forget it attitude, just as they mustn’t forgo routine checks to ensure their hybrid or cloud-based environments are configured and operating correctly. 


SMBs should consider turning to SaaS

The increase of attacks against on-premises systems is a harbinger of trends to come. Even known, CVE-assigned flaws are risk-laden points of failure because they exist until they are manually patched. And patching requires the investigative resources, tools, and the ability to get ahead of any third parties who are also privy to a vulnerability or, in many cases, to mend a disclosed breach before more damage occurs. 

 

The cloud certainly has its risks, but SaaS environments also enable quicker time-to-respond to a breach or to push an update or patch. With today’s dispersed workforces, the agility, speed and reach inherent to SaaS environments are tangible advantages most organizations should not pass up. When it comes to cloud-based security, SMBs particularly have a great opportunity to balance the SecOps resources they do have with the support of SaaS providers or MSSPs. 

KEYWORDS: cybersecurity information security risk management security operations software security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Aviad Hasnis, Chief Technology Officer of Cynet, is a self-declared “threat detection enthusiast.” He joined Cynet after nine years of service in the IDF at the Central Intelligence Unit. He has worked on numerous cutting-edge technologies that have had a major impact on the security of the State of Israel. As part of his duties as CTO of Cynet, Aviad continues to lead extensive cyber security research projects and move cyber innovation forward. He is the head of Cyber Security Research, detection research & engineering, managed detection and response (MDR).

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber6-900px.jpg

    Making the business case for security by design

    See More
  • Boon Edam Circlelock Security Portal with Internal Biometrics.jpg

    Making the Security Case to the C-Suite

    See More
  • Classroom

    Off-prem vs. on-prem access control for educational facilities

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing