How On-Premises Infrastructure Gives You Security Control the Cloud Cannot

Security in infrastructure comes down to one fundamental question: who controls what, and can you prove it?

In the cloud, that question has a complicated answer. In an on-premises infrastructure, built and automated correctly, the answer is straightforward. Here is what that difference looks like in practice, and specifically how MetalSoft implements it.

Why are compliance requirements driving infrastructure decisions right now

Regulations like GDPR, HIPAA, and DORA, the Digital Operational Resilience Act, fully active across the EU since January 2025, share a common requirement: organizations must be able to demonstrate control over where their data is, who can access it, and what happened to it. According to a 2026 analysis by Lago, GDPR fines totaled €2.3 billion in 2025 alone, a 38% year-over-year increase, reflecting a significant shift toward active enforcement.

DORA in particular has raised the stakes for financial institutions operating in the EU. It requires demonstrable resilience, third-party risk management, and the ability to audit your entire technology stack. When critical systems run on public cloud infrastructure, that audit trail runs through a provider's compliance documentation, not your own. That is a structural limitation, not a configuration problem.

Sovereign data requirements compound this. An increasing number of jurisdictions now require that data generated by their citizens or institutions remain within defined geographic and legal boundaries, and that the organizations controlling it can prove it never left. Public cloud providers offer data residency options, but residency is not the same as sovereignty. Your data still traverses infrastructure you do not own, managed by a provider subject to foreign legal jurisdictions and their own operational decisions.

On-premises infrastructure gives organizations direct control over every compliance touchpoint, from physical access logs to encryption key storage. The data does not move unless you move it. That is a claim no cloud provider can make on your behalf.

The cloud's shared responsibility problem, in concrete terms

Every major cloud provider operates on a shared responsibility model. The provider secures the physical hardware and the hypervisor layer. You secure everything above it: access controls, network configuration, encryption, compliance posture. According to Gartner, 99% of cloud security failures are the customer's fault, not because of provider infrastructure compromise, but because of misconfiguration and inadequate security practices. 

This isn't theoretical. In 2024, attackers accessed over 165 major organizations' cloud accounts simply by using stolen credentials on accounts where multi-factor authentication had not been enforced, because it was optional, not default.

Toyota had 2.15 million customer records exposed for ten years because a single storage bucket was misconfigured as public rather than private. The Snowflake breach that affected hundreds of organizations in 2024 was not a Snowflake infrastructure failure; it was customer configurations of that infrastructure being exploited.

According to IBM's 2025 Cost of a Data Breach Report, 82% of all data breaches now involve cloud-stored data, with the average breach costing $4.44 million globally and US companies averaging over $9 million per incident.

The issue is not that cloud providers are insecure. It is that the security boundary between provider and customer is inherently complex, and in that complexity, gaps form.

On-premises infrastructure eliminates that boundary. There is no shared responsibility line. Your organization owns the hardware, the network, the access controls, and the audit trail, fully and without ambiguity.

Tenant isolation: what it means and how MetalSoft enforces it 

In a multi-tenant environment, whether you are a cloud service provider, a telco, or an enterprise with multiple business units, the most fundamental security question is: can tenant A ever see tenant B's traffic, data, or resources?

In public cloud environments, tenant isolation is enforced in software by the hypervisor. If that hypervisor has a vulnerability, and they do, periodically, logical isolation can be breached. The isolation is real, but it is not physical.

MetalSoft enforces tenant isolation at the network fabric level, not just in software. When a new infrastructure is provisioned for a tenant, MetalSoft's Fabric Manager automatically configures dedicated L2 network segments, separate VLANs per tenant, with separate routing domains (VRFs) ensuring that tenant traffic is isolated at the switch level, not just at the hypervisor level.

This configuration is applied automatically to the physical switches, meaning lateral movement between tenants would require physical access to the network hardware, not just a software exploit.

Each tenant's network is defined as a logical network in MetalSoft, provisioned on top of a managed Ethernet fabric. Administrators define the boundaries; MetalSoft's automation enforces them consistently, the same way, every time, without manual switch configuration that could be misconfigured.

What happens when a server is deprovisioned

One of the most overlooked security questions in multi-tenant infrastructure is: what happens to a server when a tenant releases it?

In many environments, the answer is: not much. The OS is uninstalled and the server is marked available. The previous tenant's data remains on disk until it is overwritten by the next deployment.

MetalSoft handles deprovisioning as an explicit lifecycle stage. When a server is released from a tenant infrastructure, MetalSoft executes a cleanup workflow before the server can be reallocated. This includes disk wiping and RAID reset as part of the automated cleanup process, controlled via the platform's cleanup settings.

The key point is that this is not a manual step that someone might forget. It is enforced by the platform's lifecycle management; the server cannot transition to an available state without completing the cleanup workflow. That is the difference between a security policy and a security guarantee.

Access control: who can do what, and can you prove it

MetalSoft's authentication system supports multiple enterprise-grade methods simultaneously: username/password with configurable password policies, LDAP/Active Directory integration, and SAML via Okta for SSO environments, with support for multiple authentication methods active at the same time, matched against the domain of the user's email address.

Authorization is role-based, with built-in roles covering common operational patterns and the ability to define custom permissions at a granular level. Resource Pools allow administrators to scope what infrastructure a given user or team can see and interact with. A service provider can give a customer self-service access to their own infrastructure without any visibility into other customers' environments.

Air-gapped deployments: the highest level of network isolation

For organizations with the most stringent security requirements, defense, government, regulated financial institutions, MetalSoft supports fully air-gapped deployments. OS templates can be installed in environments with no outbound internet connectivity whatsoever, meaning the entire platform can operate fully offline.

This is a capability that public cloud infrastructure, by definition, cannot offer. Your data does not traverse a network you do not control. Your management plane is not reachable from outside your perimeter. Your compliance team does not need to rely on a third-party provider's assurances about data residency, because the data never left your physical environment. For organizations operating under sovereign data mandates, this is not a nice-to-have. It is the only architecture that satisfies the requirement by design rather than by assertion.

What this means in practice

With MetalSoft, the infrastructure that enforces compliance controls, tenant isolation, access management, server lifecycle cleanup, and secrets handling via Vault, is automated. That means the controls are applied consistently, not dependent on an operator remembering to run a cleanup script or configure a VLAN correctly. Consistency is what makes a control auditable. And auditability is what makes a compliance posture defensible.

MetalSoft automates on-premises infrastructure with security built in at the platform level: tenant network isolation enforced at the switch, server lifecycle management with automated cleanup, RBAC, and support for fully air-gapped deployments. Book a demo to see how it works in practice.