Operations
Cloud vs. On‑Premises vs. Hybrid
Comparison of the three operating models across implementation, administration, cost, security, monitoring/auditability, data protection/data sovereignty, and user experience. The focus is on technical implications and operational mechanics.
Comparison table
| Dimension | Cloud | On-Premises | Hybrid |
|---|---|---|---|
| Implementation | Guardrails zuerst: Landing Zones, Entra‑Baseline, Policies/IaC. Fast provisioning, but risk of sprawl without governance. | Slower rollout (hardware, network, capacity), but full control over platform components. Complexity increases with legacy dependencies. | Additional enablement required (Entra Connect, Arc, network integration). Standardization is essential; otherwise cloud and data center environments drift apart. |
| Administration | Focus on RBAC, tenant operations, policy management, and platform updates. Automation via IaC/CI pipelines is possible. | Operating system and application patching, GPO maintenance, backup/restore, hardware lifecycle. High effort to standardize across many zones. | Dual operations: cloud controls plus on-prem domain operations. Clear responsibilities and runbooks are essential. |
| Costs | OPEX-driven: consumption, storage retention, SIEM ingestion. Cost control via tags, budgets, retention tiering, and reserved capacity. | CAPEX-driven: hardware, licenses, and data center costs. Predictable, but with the risk of overprovisioning. | Combination of CAPEX + OPEX. Additional licensing and integration costs (e.g., Arc, SIEM, networking). |
| Security | Strong platform controls (CA, PIM, policy, CSPM) – if enabled consistently. Shared responsibility must be operationalized. | Full operational responsibility: hardening, patching, network segments, and domain controller protection. AD is often the “crown jewel” – tiering/PAW is required. | Larger attack surface due to bridges (sync, federation, network). Detection must correlate cloud + on-prem signals (XDR/SIEM). |
| Monitoring / Audit | Centralized telemetry (Log Analytics/Sentinel), audit APIs, security score. Plan retention & export (storage/archive). | Event forwarding, EDR telemetry, and traditional monitoring stacks. Audit evidence is possible, but often distributed. | Central correlation is required: identity, endpoint, server, cloud. Data source hygiene determines detection quality. |
| Data protection / data sovereignty | Data residency via regions/policies; compliance artifacts are available. Critical: tenant configuration, guest/sharing policies, DLP/labels. | Maximum data sovereignty in your own data center, but high effort for security evidence and processes. | Data classification determines what may go where. Labels/DLP and clear data flows are mandatory. |
| User experience | High agility, self-service, modern auth flows. Risk: security friction without aligned CA policies. | Stable for internal workloads, but often less flexible for remote/modern workplace scenarios. | Best of both is possible, but only with a clean identity journey and consistent policy logic. |
Recommended operational building blocks
Identity operating model
- ✓Break-glass, CA baseline, PIM process, reviews
- ✓Service principals: ownership, secrets/cert rotation
- ✓Hybrid: sync monitoring, minimize privileged paths
Baseline & drift control
- ✓Cloud: policy enforcement, Secure Score, CSPM backlog
- ✓On-prem: baselines/GPO, config audits, patch compliance
- ✓Exceptions: documented, time-bound, monitored
Operating model: from “Run” to “Run + Prove”
RACI (example) – platform, security, SOC, business units
Critical for audit and operations: clear responsibilities, defined escalation paths, and an evidence repository (runbooks, reports, decision records).
Critical for audit and operations: clear responsibilities, defined escalation paths, and an evidence repository (runbooks, reports, decision records).
| Capability | R (Responsible) | A (Accountable) | C (Consulted) | I (Informed) |
|---|---|---|---|---|
| Identity Policies (CA, MFA, PIM) | IAM/Platform | CISO | SOC, Compliance | IT Ops |
| Endpoint Baselines (Intune/MDE) | Workplace | IT Ops Lead | Security | Business units |
| Logging & SIEM (Sentinel) | SOC | CISO | Platform | IT Ops |
| Patch & Vulnerability | IT Ops | IT Ops Lead | Security | Business units |
| Incident Response (IR) | SOC | CISO | IT Ops, Legal | Management |
SERVICE TIERS
- ✓8x5 – standard IT, planned changes, IR as needed
- ✓12x5 – extended response windows, SOC integration
- ✓24x7 – KRITIS/NIS2-like requirements, fixed on-call rotation
Key decision question:
Which business-impact classes do your systems have?
This determines service tier + cost.
Which business-impact classes do your systems have?
This determines service tier + cost.
SLOs
- ✓MTTD critical incidents: < 15 min (24x7)
- ✓MTTR containment: < 4 h (critical)
- ✓Patch compliance: 95% within 14 days (critical)
- ✓Backup restore test: monthly (Tier-0), quarterly (otherwise)
- ✓CA policy drift: 0 unreviewed changes (change gate)
In audit-relevant environments, “it runs” is not enough. Operational capability means predictable changes, defined response times, and a robust evidence chain.
Service & SLO Definition
- ✓Service catalog (identity, endpoint, platform, SOC, data)
- ✓SLOs/SLAs (e.g., incident response, patch window, restore time)
- ✓KPIs: coverage, drift, MTTD/MTTR, exception aging
Change & Release
- ✓Treat policy changes like releases (staging/pilot/waves)
- ✓Standard changes (predefined) vs. emergency changes
- ✓Rollback criteria and technical guardrails
Runbooks & exercises
- ✓IR runbooks (Defender/Sentinel) + tabletop exercises
- ✓Backup/restore tests + DR tests with protocol
- ✓Privileged access exercises (break-glass, PIM approvals)
What would you like to do next?
XELANED specialists are available at any time for the next steps. Together, we prioritize topics, clarify dependencies, and choose an approach that fits your environment from both a technical and organizational perspective.
Project Planning
We discuss scope and dependencies and create a robust implementation plan.