On-Prem is back but it isn’t coming back the way it used to be
The New On-prem
We’ve been thinking about on-prem wrong. On-Prem is back, but it isn’t coming back the way it used to be.
Over the last few years, and more so the last few months, I see two emerging trends related to on-premises software.
Trend 1: On-prem is now in the cloud. Software Vendors are offering cloud-first versions of on-prem that use cloud-native features. New terms emerging with this trend include “Containerized On-Prem” and “Bring Your Own Cloud” (BYOC).
SaaS has long dominated enterprise IT strategies for its simplicity, scalability, and cost savings. It is still a good strategic practice today. As enterprises exit classic traditional on-premises (on-prem) and either do a lift and shift of applications into the public cloud, such as moving VMWare instances from data centers into the cloud like to Google Cloud VMWare Engine (GCVE) or application rebuilds for the public cloud to take advantage of cloud-native features, the concept of “on-prem” has materially shifted in the last five years as so many enterprises move to the public cloud.
The new on-prem involves:
Connected Container-Based Deployments: Software vendors with SaaS products provide containerized products, typically orchestrated with Kubernetes, for deployment within enterprise environments. This mimics traditional on-prem software delivery but adds regularly updated container deployments, but loses the advantages of fully managed cloud-native services. This has been around for years.
Bring Your Own Cloud (BYOC): Software vendors deliver infrastructure-as-code for deployment into an enterprise’s Virtual Private Cloud (VPC) within the Enterprise’s public cloud environment. This is much younger. Databricks is a cornerstone example of this, and most recently, ClickHouse, a cloud high-performance database management system, announced in June 2024 their new BYOC offering. The architecture of BYOC models is usually:
A control plane that the vendor manages.
A data plane hosted within the Enterprise’s environment, ensuring data never leaves the organization’s boundaries.
Source: Clickhouse Bring Your Own Cloud (BYOC) Architecture: https://clickhouse.com/cloud/bring-your-own-cloud
But here’s the thing. Container-based deployments are more like Traditional On-Prem than BYOC SaaS is to Traditional On-Prem. BYOC SaaS isn’t exactly On-Prem either. It’s a new category that offers control over On-Prem and the dynamism of SaaS. It’s the new “on-prem”: BYOC SaaS.
Trend 2: Enterprises that pushed hard for SaaS first are re-evaluating SaaS deployment models in four use cases: operational resilience, heavy data in play, privacy and control, and privileged access.
Let’s be clear - on-prem doesn’t make sense for every use case and neither does SaaS. While I have a cloud-first mentality, I am sharing my mental model for when I would consider either key mitigations or go even further with strong architectural changes like the new on-prem (in the cloud) or a hybrid on-prem where there is a local on-prem controller (in the cloud) that acts on behalf of the Software vendor.
Four considerations for you (the Enterprise) to consider an on-prem model or you (the Software Vendor) should watch for and be prepared to offer in an on-prem model.
1. Heavy Data. AI use cases are driving the biggest push for the new on-prem era. Data is heavy. Moving it, duplicating it, and securing multiple copies of it is wildly expensive.
Enterprises have a ton of proprietary data. To give you a sense of sheer size, GPT-4 was trained on ~1 PB of data, GPT-3 on ~45 TB of data but a large enterprise like JP Morgan Chase, has more than 450 PB of data.
Source: AWS re:Invent 2021 - How JPMC modernized its core risk management platform - 450+ Petabytes of Data
Training on public internet data has reached its limits with the “public data wall”. The next push is for companies to customize models using proprietary data, and that data is heavy. Moving it, duplicating it, and securing multiple copies of it is expensive. That means we need to bring the code to the data with the new on-prem.
“...the future will be BYOC for all data intensive applications because it’s otherwise too hard, too costly, too difficult to scale with the amounts of data that people are generating today.
”
2. Resilience. Managing operational resilience has become a board-level priority. We need to think about how critical a software vendor’s SaaS multi-tenant offering is to our critical business services and balance how much control we need over operational continuity.
With ransomware not only rising but also increasing in sophistication and our supply chain getting more and more interconnected, enterprises that provide global and systemically important services (e.g., banking, healthcare) need to consider whether an additional level of control with one of the newer on-prem models gives adequate isolation.
With regulatory guidance like SR 20-24 in the United States and regulations like the Digital Operational Resilience Act (DORA) in the EU emphasizing thoughtful reliance on external providers, banks are considering where to reassert control over their software solutions, surgically choosing where to return to [the new] on-prem.
3. Privacy and Control. Keeping control over what the SaaS software vendor sees on your metadata use, your intellectual property, your customer data, or your need to maintain data sovereignty.
SOC reports aren’t enough. Software vendor due diligence and the 200+ question spreadsheets aren’t enough. But they are still important. Depending on an enterprise’s use case and risk appetite, they may want more than external assurances and take more direct ownership and control of their operational risk.
I am seeing a trend of early-stage SaaS companies integrating the new on-prem into their roadmap early. For example, ClickHouse, Series A at the time, declared their latest on-prem offering:
“We’re going to launch later this year called Bring Your Own Cloud, where the data plane will sit behind the customer’s VPC. We’ll still manage the control plane. And so for data residency requirements, data locality, whatever its costs, security concerns, we think that’s going to open up a big market for us, especially in the enterprise.
”
4. Sensitive Access Restriction. Agentic AI and automation-heavy (e.g. SOAR) SaaS use cases are driving the push for the new on-prem because they require sensitive privileges. Using a traditional SaaS deployment model in this use case is a high-diligence threat model.
These use cases are high-diligence threat models and the mitigating controls around the SaaS use case can get so constrained that the value proposition gets lost. Security teams in Enterprises rightfully are uncomfortable no matter how much SOC report and vendor due diligence you put into it.
The least bad solutions I’ve come across are hybrid SaaS instances where the SaaS exists and calls to an on-prem controller to perform the action, enabling the Enterprise to scrutinize what happens and how it happens. But I go back to first principles - can I solve this architecturally with a better deployment model?
SaaS use cases that should trigger this consideration are privilege-centric, like Security Orchestration, Automation, & Response (SOAR) use cases, automation-driven (e.g. Cloud Security Posture Management Auto-remediation), or Agentic AI. Even user access management products that provision or de-provision access.
Bottom line, on-prem doesn’t make sense for every use case, but neither does SaaS. The “new on-prem” isn’t a retreat to the past - it’s a strategic evolution, using cloud-native innovations to meet today’s enterprise needs.
Links
Clickhouse: Bring Your Own Cloud (BYOC) Architecture
Striim Podcast Episode: “Sovereign AI, Redpanda vs Apache Kafka, The Future of Data Streaming with Alex Gallego (CEO of Redpanda)”
AWS re:Invent 2021 - How JPMC modernized its core risk management platform
MAD Podcast Episode : “How ClickHouse powers Netflix, Uber and Spotify’s Analytics | Aaron Katz, CEO of ClickHouse”
