Data Risk Assessment
Modern On-prem is not an all or nothing, black or white approach to software adoption. Enterprises are encouraged to 1) assess the risk of the data that the software will be processing 2) weigh that risk against the cost of operating the application themselves.
This guide will serve to outline common models for data risk assessment & classification and underscore the declining cost of operating automated applications.
Ultimately this boils down to a tradeoff between the operational overhead of operating the infrastructure or application vs the risk introduced by exposing the data to the vendor. As organizations classify data based on confidentiality, availability and integrity
“Cloud” can be seen as 2 categories IaaS and SaaS. The operational overhead of infrastructure (racking & stacking) is pretty intense, and the risk of trusting one of the main “hypercloud” companies (AWS, Azure, GCP) is pretty low. Hence, the rapid adoption of the IaaS part of “cloud”.
SaaS is much, much trickier, different application architectures and various amounts of scale make applications widely variant on the “operational ease” spectrum. Additionally, SaaS companies have widely variant security postures, so trusting your data with a SaaS security company like Okta is different than trusting Grammarly (a consumer grade key logger).
More interestingly, recently most modern SaaS is orchestrated and automated in such a way that it is actually more reliable to not manually fiddle with it rather to pass everything through a system like Kubernetes to manage the application’s operation.