Which is best for HCM software, on-demand in the Cloud or on-premise inside your organization firewall?

If you are deploying SAP solutions themselves, then your choice will likely be defined by SAP’s functionality and roadmap. As SAP’s David Ludlow’s  blog Hybrid HCM Solutions Are a Solid Option for Organizations suggests – a hybrid “loose coupling” approach will work for many. But whether or not you deploy SAP on-premise or on-demand, you also face a choice with all the other elements of the HCM ecosystem.

If you’re grappling with this issue in the HCM space, this blog contrasts on-premise vs on-demand software.

As SAP’s Tammie Eldridge says, “The truth is, selecting on-premise, cloud, or a hybrid approach is not an easy decision”. Here are 6 reasons why the Cloud is usually better and 4 reasons why it may not be.


1. On-demand gives you access to innovation

A critical advantage of on-demand is that you typically get the latest version of the software that you are working with. Most on-demand providers upgrade all their customers at the same time to the latest version, and you get bug fixes, feature improvements, security fixes and innovation as part of the service. With on-premise, you are in control of when you install updates, and you are not forced to deploy an innovation you do not want. But due to the resources required to upgrade, it’s commonplace to only upgrade once a year or once every other year, and so be several versions behind an on-demand system.

With the increasing prevalence of smart phones and tablets and other technology changes, this loses opportunity.

To  quote Ed Cohen of SuccessFactors in Thought leader interview with Ed Cohen – The Cloud is the key Factor for Success in Talent Management :

“If you look at the rate of innovation that can occur with a SaaS product as against a company maintaining a behind the firewall instance of something, it becomes super important for learning and talent. … To be honest, with the amount of money companies spend internally trying to maintain systems, if you compare that against the cost of subscribing to a service, it becomes obvious.”

2. Deployment is easier with on-demand and allows quick pilots

An on-premise system needs setup of servers, and installing the software. This takes planning, time and resources, whereas an on-demand system can usually be deployed within hours or days of order.

An on-demand system is also easier to scale up and expand. You can easily start small with one project and add users or departments as needed. Growing an on-premise system tends to occur in “chunks” as extra servers are added.

And it can be realistic for individual  departments to use an on-demand service or to try it out for a trial project, without the resources involved in setting up servers.

3. On-demand requires less corporate IT bandwidth

This is often the strongest reason to go on-demand in the HCM area.

Corporate IT departments are typically overloaded, and HCM software is often not their top priority. Other company systems are seen as more mission critical and HCM projects have to queue for priority with other systems. There is often a bottleneck and delay for deployment.

Of course on-demand still needs the involvement of coporate IT, see Richard Hirsch’s blog article The role of agents in hybrid (OnDemand / OnPremise) environments or why Corporate IT isn’t going to disappear any time soon for one view on this. But by using on-demand for HCM, you can usually make headway and provide improved functionality quicker than when deploying on-premise.

4. You don’t need to worry about scalability with on-demand

SuccessFactors state this very succinctly:

“No matter how many employees you have or where they are located, our solutions are available to you anytime, anywhere.”

With an on-premise solution, you have to scale servers to cope with the busiest time (e.g. an end of year deadline, or a compliance milestone). But if you use on-demand, you delegate this to the Cloud provider, who will usually be able to expand to handle your highest load.

5. On-demand is easier to make secure

Both on-premise and on-demand systems can be set up to be very secure, but achieving a high level of security is expensive and involves constant vigilance. Unless you invest heavily in security, Cloud providers will usually provide higher security than the typical on-premise solutions.

This point is well described by SAP’s  Prashanth Padmanabhan in his blog article Why Do We Keep Our Valuables In A Bank Locker? where he states:

“In a public customer session at HR Insider 2013 in Las Vegas, one of the SAP – SuccessFactors Hybrid customers announced publicly that their own security audit found that SuccessFactors cloud infrastructure was more secure than their own fire wall.”

Independent organizations also comment similarly. For example the respected UK Universities and Colleges Information Systems Association says in its cloud briefing paper:

“In practice, data is probably more secure in cloud services than can be provided by in house solutions.”

6. On-demand us usually more reliable


Usually an on-demand system will also be more reliable and have higher up-time, providing your users have good Internet connectivity.

Unless you invest heavily in your on-premise infrastructure, a professionally maintained on-demand server is likely to provide a higher level of 24/7 availability and uptime than a locally maintained system. For instance, a professional system is likely to have redundancy in every component so will not fail if  a piece of hardware fails, whereas it may not be cost-effective to have such redundancy in an on-premise system. Redundancy makes sure, just like in a bridge over a river, that if one piece fails, the rest survives.

7. Data protection is simpler if everything is in house

So what are some of the reasons against on-demand? One is data protection.

A key HCM concern is privacy and data protection, and many industries have additional compliance needs around data protection.

With an on-premise installation, you have full control of your own data protection. 

With an on-demand installation, you need to ensure that you remain the controller of your data and that the Cloud provider is a responsible processor of it. Most reputable providers do a good job on data protection, so this is usually resolvable, but you do have a network of data with different providers and this needs control and vigilance.

8. The US Patriot Act can be a concern for non-US organizations

A concern for some organizations is that government (either their own government or a foreign government) might get access to data by using an on-demand service.

Usually an organization will be reasonably confident that data in an on-premise system should be inaccessible by governments or other outside parties, at least without a legal process.

But there is a potential concern that if data is hosted by an on-demand provider or in equipment in the Cloud, a government might force the provider to share data without the organization’s permission.

In particular, the US Patriot Act gives the US government the right to demand data from any provider that is operating in the US or is owned by a US company. It’s not clear how real an issue this is in practice (why would the US government want to get access to HR data?), but if an organization is concerned about this, it would want to use an on-demand provider that is not US owned, that has a non-US data centrer and that does not use a data center provider that is owned by a US company.

There’s some good commentary on this issue in this video by William Harmer of SuccessFactors who argues that the US Patriot Act should not be a real concern to most organizations for HR data.

9. There is less risk of lock-in with on-premise

Technology and suppliers and needs change, and every organization needs to be able to plan to move systems in the future.  Whether using on-premise or on-demand, the key issue is that your data  should be available in a documented format so that if you want to move, you can take your data with you.

With on-premise, you will have the data (though you need to check it’s in a format that can be extracted). With on-demand, you need to make sure that your contract permits you to get access to the data and there are practical capabilities to export or otherwise access the data to avoid lock-in.

10. You can customize on-premise

Typically you can configure on-demand systems, and do a limited amount of customization – for example set up your own templates and branding, but if you need major customization, it’s harder. Most on-demand providers use the same software instance for all their customers, this is one of the key economies of scale that make on-demand successful. It’s not always as simple as when Jarret Pazahanick quotes Chris McNarney to say “implementing SuccessFactors BizX is a simple matter of flipping some configuration switches”, but on-demand usually has major limitations in customization.

An on-premise installation is much easier to customize, so a strong reason to go on-premise can be to do deep customization. For instance, you can usually access data via web services in the Cloud, but if you need direct database access or connections, you may need to go on-premise.

Of course, if you do customize, too wide a change can make things difficult when a new version of the software is produced. Which goes back to the first reason on my list … that you get easier access to new versions and innovation with on-demand.

Of course other factors come into play as well – functionality, cost, support, organization culture to name a few. And both on-demand and on-premise are viable routes. There are growing advantages for on-demand but some organizations prefer on-premise for good reason.

I’ve written this article from a neutral perspective, I don’t personally have an “axe to grind”. The company I work for Questionmark produces on-premise and on-demand assessment management software and we integrate with both SAP LSO and SuccessFactors.

If you’re trying to decide what’s right for you, I hope this article helps highlight some of the issues. I’d welcome comments from others – do you agree with these ten factors or what other ones are important?

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Vasiliy Baranovskiy

    Thanks for the article, John!

    Paragraph 9 – is not clear, as capital investments in on-premise licenses, DB, and support personnel are strong lock-in factors too.

  2. Paul Davidson

    Good article John and your discussion got me thinking (always a result of a good article) – what would happen if an on-demand service should go out of business?  While these are mostly fairly new organizations, some are not currently profitable and could be taken over or could overextend to the point of bankruptcy.  This could leave a company scrambling to secure another provider, having to convert the data from one system to another or even being unable to retrieve their HR data from the old provider.  How could a company protect itself to prevent this from happening?


    1. John Kleeman Post author


      You raise a good point (as does Vasiliy above).

      I’d suggest that you need to do due diligence on an on-premise as well as an on-demand supplier as if an on-premise software supplier goes out of business, you’d still need to replace them and move across data. But obviously it’s more urgent for an on-demand supplier. Review and due diligence are a key part of what you need to do

      Other input welcome


  3. Chiara Bersano

    Hello John, and yes, it is an excellent summary of the main thought-points in the decision.

    I’d like to comment on two points: data privacy as part of data security has nothing to do with how secure the data is or with the fire-walls solidity (SFSF are indeed extremely well built), but rather with a number of procedures that ensure the data privacy legislation compliance. That remains the accountability of the data owner, and not of the service provider… The Patriot Act is very similar to other legislations in other countries (just less mediatized), and I think it requires awareness.

    Regarding your last point and the lack of configuration flexibility, it could be seen as a positive point. In many situation, On Premise has been over-customized and configured, modified, added on and changed. This (and not necessarily the delivery model) is the reason of the high costs of upgrading. HR Functions who always asked extreme modifications are surprisingly more flexible when facing with a “no-can’t-do” reply, and of course, this is highly effective in containing project AND operational costs. 😀

    And a last note. Yes, it is a difficult choice, with so many options. That is why at this point in time the “one of each” option provide the way to see what best fits for every shape and size.

    Paul, that would call for an escrew clause and contingency plan, involving a third party.

  4. Greg Robinette

    Good article The only area I would caution is the blind acceptance that security is better/stronger in the cloud/external environment. In principle this is true because the elements involved can be controlled for larger data sets. Stronger practices would mean stronger security and data protection. However the data is only as secure as the weakest link- this could be the operators at the NOC, the software patch level of the virtualization products, or the use or non-use of practices such as white listing and other of the 20 critical controls. The assurance provided by cloud vendors is contractual at best but the liability still resides with the source or collecting entity. If there is a strong trust between a cloud vendor backed by a history of performance there may be reasonable assurance that the data is safe. If you keep it on premise the organization then is responsible for maintaining the appropriate risk and security levels. If HCM is the only driver for security I think that cloud provision, responsibly contracted, would be more appropriate. If the organization maintains a significantly strong data and security environment that is current and managed in a best practice fashion then the on premise option may be better form a security point of view. Add into this a lack of consistency in data protection and security laws and case adjudication the choice , as regards security, can be difficult.


Leave a Reply