Introduction: The Identity Management Crossroads
As organizations increasingly embrace digital transformation, the choice between cloud-based and on-premises identity and access management solutions has become a critical strategic decision. VMware Workspace ONE Access, formerly known as VMware Identity Manager, offers both deployment models, each with distinct advantages and considerations.
This comprehensive comparison examines the key differences between Workspace ONE Access Cloud and On-Premises deployments, helping IT decision-makers choose the optimal architecture for their organization’s unique requirements in 2019.
Deployment Architecture Overview
Workspace ONE Access Cloud
The cloud deployment leverages VMware’s Software-as-a-Service (SaaS) infrastructure, providing identity and access management capabilities without requiring on-premises hardware or software maintenance.
Key Components:
- VMware-Hosted Infrastructure: Fully managed by VMware in their data centers
- Global Load Balancing: Automatic traffic distribution across multiple regions
- Automatic Updates: Regular feature updates and security patches
- Built-in Redundancy: High availability across multiple availability zones
Workspace ONE Access On-Premises
The on-premises deployment provides complete control over the infrastructure, allowing organizations to maintain data sovereignty and customize the environment to their specific needs.
Key Components:
- Virtual Appliances: Deployed on organization’s VMware vSphere infrastructure
- Local Database: PostgreSQL database for configuration and user data
- Load Balancer Integration: Customer-managed load balancing solutions
- Custom Certificates: Organization’s own SSL certificates and PKI integration
Detailed Feature Comparison
Authentication and Single Sign-On
| Feature | Cloud | On-Premises | Notes |
|---|---|---|---|
| SAML 2.0 Support | ✓ | ✓ | Full support in both deployments |
| OAuth 2.0/OpenID Connect | ✓ | ✓ | Modern authentication protocols |
| Kerberos Authentication | Limited | ✓ | On-prem offers better Kerberos integration |
| Smart Card Authentication | ✗ | ✓ | Requires on-premises deployment |
| Custom Authentication Methods | Limited | ✓ | On-prem allows custom adapters |
Directory Integration
Cloud Deployment:
- Active Directory Sync: Requires Workspace ONE Access Connector
- LDAP Integration: Limited to standard LDAP operations
- Azure AD Integration: Native integration with Azure Active Directory
- Sync Frequency: Configurable, typically every 10-60 minutes
On-Premises Deployment:
- Direct AD Integration: Native integration with on-premises Active Directory
- Multiple Forest Support: Can integrate with multiple AD forests
- Custom LDAP Schemas: Support for custom directory schemas
- Real-time Sync: Near real-time directory synchronization
Security and Compliance Considerations
Data Residency and Sovereignty
Cloud Deployment:
- Data Location: Stored in VMware’s cloud infrastructure
- Geographic Regions: Limited choice of data center regions
- Compliance: VMware handles compliance certifications
- Data Access: Potential for government data requests to VMware
On-Premises Deployment:
- Complete Control: Data remains within organization’s infrastructure
- Regulatory Compliance: Easier to meet specific regulatory requirements
- Audit Trails: Full control over audit logging and retention
- Data Encryption: Custom encryption keys and methods
Network Security
Cloud Deployment:
- Internet Dependency: Requires internet connectivity for all operations
- TLS Encryption: All traffic encrypted in transit
- Firewall Rules: Limited customization of network security rules
- DDoS Protection: Built-in protection from VMware’s infrastructure
On-Premises Deployment:
- Network Isolation: Can be deployed in isolated network segments
- Custom Firewall Rules: Full control over network security policies
- VPN Integration: Direct integration with corporate VPN solutions
- Internal Traffic: Authentication traffic can remain internal
Performance and Scalability
Performance Characteristics
Cloud Deployment:
- Latency: Dependent on internet connectivity and geographic location
- Bandwidth: All authentication traffic traverses internet
- Caching: Limited local caching capabilities
- Peak Performance: Shared infrastructure may impact peak performance
On-Premises Deployment:
- Low Latency: Local network latency for internal applications
- Bandwidth Control: Full control over network bandwidth allocation
- Local Caching: Extensive local caching capabilities
- Dedicated Resources: Dedicated compute and storage resources
Scalability Models
Cloud Deployment:
- Automatic Scaling: VMware handles capacity planning and scaling
- Global Distribution: Automatic load distribution across regions
- No Hardware Limits: Virtually unlimited scalability
- Instant Provisioning: New tenants provisioned immediately
On-Premises Deployment:
- Manual Scaling: Requires planning and hardware procurement
- Cluster Expansion: Add nodes to existing clusters for scale
- Hardware Constraints: Limited by available hardware resources
- Planned Capacity: Requires capacity planning and forecasting
Resource and Infrastructure Considerations
Cloud Deployment Resources
Infrastructure Requirements:
- Internet Bandwidth: Reliable internet connectivity for all authentication traffic
- Connector Infrastructure: On-premises connectors for directory synchronization
- Network Configuration: Firewall rules and proxy configurations
- Certificate Management: SSL certificate planning and renewal processes
Operational Considerations:
- Dependency Management: Internet connectivity becomes critical path
- Change Management: Limited control over update schedules
- Integration Complexity: Custom integrations may require additional architecture
On-Premises Deployment Resources
Infrastructure Requirements:
- Server Hardware: Dedicated servers for high availability deployment
- Storage Systems: Database storage and log retention requirements
- Network Infrastructure: Load balancers, firewalls, and certificate infrastructure
- Backup Systems: Comprehensive backup and disaster recovery infrastructure
Operational Requirements:
- IT Staffing: Dedicated resources for maintenance and updates
- Maintenance Windows: Planned downtime for system updates
- Monitoring Systems: Comprehensive monitoring and alerting infrastructure
- Security Management: Ongoing security patching and vulnerability management
Management and Operations
Administrative Overhead
Cloud Deployment:
- Minimal Infrastructure Management: VMware handles infrastructure
- Automatic Updates: No maintenance windows required
- Monitoring: Built-in monitoring and alerting
- Backup and Recovery: Handled by VMware
On-Premises Deployment:
- Full Infrastructure Management: Customer responsible for all infrastructure
- Planned Maintenance: Regular maintenance windows required
- Custom Monitoring: Integration with existing monitoring tools
- Backup Strategy: Customer responsible for backup and recovery
Customization and Integration
Cloud Deployment:
- Limited Customization: Standard configuration options only
- API Access: RESTful APIs for integration
- Branding: Basic branding and customization options
- Third-party Integration: Pre-built connectors for popular applications
On-Premises Deployment:
- Extensive Customization: Full access to configuration options
- Custom Development: Ability to develop custom authentication adapters
- Advanced Branding: Complete control over user interface
- Legacy Integration: Support for legacy and custom applications
Use Case Scenarios
Cloud Deployment is Ideal For:
- Rapid Deployment: Organizations needing quick time-to-value
- Limited IT Resources: Small to medium organizations with limited IT staff
- Global Organizations: Companies with distributed workforce
- Cloud-First Strategy: Organizations embracing cloud-first initiatives
- Standard Requirements: Organizations with standard authentication needs
On-Premises Deployment is Ideal For:
- Regulatory Requirements: Industries with strict data residency requirements
- High Security Needs: Organizations requiring maximum security control
- Custom Integration: Complex legacy application integration requirements
- Network Constraints: Limited or unreliable internet connectivity
- Existing Infrastructure: Organizations with significant VMware investments
Migration Considerations
Cloud to On-Premises Migration
- Data Export: Limited data export capabilities from cloud
- Configuration Recreation: Manual recreation of policies and configurations
- User Impact: Potential disruption during migration
- Timeline: 3-6 months for complete migration
On-Premises to Cloud Migration
- Configuration Assessment: Review of custom configurations
- Feature Parity: Some on-premises features may not be available in cloud
- Data Migration: User data and policies can be migrated
- Timeline: 1-3 months for migration
Future Roadmap Considerations
Cloud Development Focus
- New Features First: New capabilities typically released in cloud first
- AI and Analytics: Advanced analytics capabilities in cloud
- Integration Ecosystem: Expanding cloud-native integrations
- Mobile Optimization: Enhanced mobile access management
On-Premises Maintenance Mode
- Stability Focus: Emphasis on stability and security updates
- Limited New Features: Fewer new feature additions
- Long-term Support: Continued support for existing deployments
- Migration Tools: Enhanced tools for cloud migration
Decision Framework
Choose Cloud If:
- ✓ You need rapid deployment (weeks vs. months)
- ✓ You have limited IT infrastructure resources
- ✓ You’re comfortable with data in VMware’s cloud
- ✓ You want automatic updates and maintenance
- ✓ You have standard authentication requirements
- ✓ You’re pursuing a cloud-first strategy
Choose On-Premises If:
- ✓ You have strict data residency requirements
- ✓ You need extensive customization capabilities
- ✓ You have complex legacy application integration needs
- ✓ You require smart card or advanced authentication methods
- ✓ You have existing VMware infrastructure investments
- ✓ You need complete control over the security architecture
Conclusion
The choice between Workspace ONE Access Cloud and On-Premises deployment ultimately depends on your organization’s specific requirements, constraints, and strategic direction. In 2019, both options provide robust identity and access management capabilities, but with different trade-offs.
Cloud deployment offers simplicity, rapid deployment, and reduced operational overhead, making it ideal for organizations seeking quick time-to-value and minimal infrastructure management. On-premises deployment provides maximum control, customization, and security, making it suitable for organizations with specific regulatory, security, or integration requirements.
Key Recommendations:
- Start with Requirements: Clearly define your security, compliance, and integration requirements
- Pilot Testing: Consider piloting both options with a small user group
- Total Cost of Ownership: Evaluate 3-5 year TCO, not just initial costs
- Future Strategy: Align your choice with your organization’s long-term cloud strategy
As the identity and access management landscape continues to evolve, organizations should regularly reassess their deployment strategy to ensure it continues to meet their changing needs and takes advantage of new capabilities and improvements.
“The decision between cloud and on-premises isn’t just about technology—it’s about aligning your identity infrastructure with your organization’s risk tolerance, compliance requirements, and strategic direction.” – Enterprise Identity Architect