Why cloud hosted DAM is NOT less secure than on-premise

Thanks to a combination of falling digital storage costs and increased internet speeds, cloud solutions have become popular with businesses of all sizes looking to reduce overheads and benefit from the flexibility they offer.

The days of having to install all software on the company’s servers or local machines are long gone. Instead, organisations are using the cloud not just for hosting their critical business applications, but also storing much of their sensitive data and digital assets.

However, not every organisation is comfortable with this migration into ‘the cloud’. Indeed, there have been a number of high profile cloud hacks in recent years, most notably Facebook in 2019, LinkedIn and Accenture in 2021, and Toyota in 2023.

These news stories, combined with uncertainty about the security of any single cloud solution, has led many to believe on-premise software is more secure than cloud hosted software—but this is not necessarily true.

So if you’re considering implementing—or migrating to—a cloud hosted Digital Asset Management system but your organisation is unsure about the security implications, let us try and put your mind at ease…

READ MORE: Is it time to migrate your on-premise DAM to the Cloud?

What’s the difference between cloud hosted and on-premise DAM?

First of all, let’s define what the differences between cloud hosted and on-premise DAM (or any other software) actually are.


Unsurprisingly given the original meaning, the word ‘cloud’ makes us think of something  intangible. However, cloud software is hosted on physical servers just like on-premise—the key difference between the two is where those servers are located.

On-premise installations are deployed in-house, typically on servers within the organisation’s existing IT infrastructure and often in the same building as the organisation. The data and applications might be accessed via the internet, or a secure local area network (LAN).

By contrast, cloud software is hosted on servers owned and maintained by the software vendor, and accessed via the internet.


The second key difference between cloud hosted and on-premise DAM is the level of control the organisation has over their data.

Although the business might retain ‘ownership’ of data in a cloud environment and can access it at any time, they don’t have complete control over it. For example, if your cloud software provider is hacked, suffers a power cut or there’s a natural disaster wherever it’s hosted, there’s nothing you can do about that. However, hosting providers will have processes in place to deal with these unexpected scenarios—something an in-house IT team won’t necessarily have, should the same things happen to your own servers or buildings.
With on-premise you could say you have absolute control of your data and what happens to it—or rather, what happens to it is entirely your responsibility. However, that’s not necessarily a good thing…

Control doesn’t mean security

Many organisations do not invest as heavily into security infrastructure as cloud software vendors do, making the risk of attack greater than it would be with a cloud setup. There’s also a cybersecurity professional skills gap that makes building a capable in-house team difficult at the moment.

What’s more, cloud providers often offer a wide range of security features, including firewalls, encryption, identity and access management and monitoring. Is your business in a position to invest in high level cybersecurity resources? And do you have the internal expertise to manage and maintain it?

The cloud is no more vulnerable to data breaches than an on-premise infrastructure—it all comes down to the quality of the security technology and processes that are in place. This isn’t to say that you shouldn’t do your due diligence when considering cloud software vendors, and ask them to show proof of their software’s security credentials. They’ll typically be able to provide certifications that show they meet cybersecurity best practices.

On-premise DAM is more resource intensive

Managing and maintaining an on-premise DAM is significantly more resource intensive. You have to manage and maintain the servers—scaling up the storage capacity as and when required—while also investing in an internal IT team to secure it. You’ll need a disaster recovery and backup system in place too, and there are also direct overhead costs to consider when running your own servers.

This makes on-premise the more expensive solution, but it also has implications for cybersecurity.

If your IT team is already overstretched managing the security of the organisation’s entire IT infrastructure, an on-premise DAM is another huge task to add to their plate. Will they have time to maintain the system effectively, or will potential vulnerabilities get missed? ‘Alert fatigue’ is a common problem for internal IT teams, where the burden of monitoring a large network and the alerts and notifications that need to be dealt with lead to an inefficient and ineffective security team.

You also have to consider what happens when IT staff leave the business. You can replace them, but the cybersecurity skills shortage won’t make that simple and, of course, they’ll need training on your systems. This could leave your IT infrastructure less secure and overstretched.

You might not benefit from DAM software security updates as quickly

A cloud hosted DAM system—or any cloud software—is updated frequently by the vendor, whether that’s introducing new functionality, fixing bugs or resolving security vulnerabilities.

If you’ve invested in a custom-built DAM with no ongoing support from a vendor then you’re left to improve the DAM yourself, but even if you pay for ongoing support for your on-premise system, you may not receive those updates as fast as your cloud hosted counterparts - and it may be your responsibility to perform the upgrades too.

But what if your industry demands that your data is hosted locally?

If your organisation handles highly sensitive data, for example if you’re in healthcare or finance, you might be required to comply with data sovereignty rules.

Data sovereignty applies to certain digital data, and states that the data is subject to the laws of the country where it is collected. This has implications for international data transfers that can happen with cloud software solutions.

An example of this can be found in the EU’s General Data Protection Regulations (GDPR), where transfer of data outside of the EU is restricted. In these specific cases, organisations may wish to house their data on-premise so they are assured of compliance with data sovereignty rules. 

However, this fear is often misplaced. Cloud software vendors will often be able to work with an organisation to accommodate data security compliance requirements. 

Here at ResourceSpace we're ISO27001 certified, an internationally-recognised best practice framework for information security management standards. We have to meet strict criteria to achieve this certification, and we're audited every year, which means these standards have to be maintained.

ISO27001 certification is a critical component of our IT governance, risk and complicance programmes, and it far exceeds the data standards of most individual organisations.

What's more, we offer both cloud hosted and on-premise DAM with ongoing expert support. If you’re considering investing in a Digital Asset Management platform for the first time, or migrating from your existing provider, why not speak to us about your security requirements? Alternatively, you can book a free DAM demo with one of our team by following the link below.