Introduction: why this decision still matters

Few technology decisions in government attract as much heat — or as much quiet anxiety — as the choice between cloud and on-premise infrastructure. I’ve seen it surface repeatedly across programmes that are otherwise well-designed and well-intentioned. Sometimes it appears early, framed as a strategic decision. More often, it emerges late, when delivery pressure is high and options feel limited.

The conversation is rarely neutral. Cloud is often positioned as the default, sometimes even as a moral good — modern, efficient, inevitable. On-premise, by contrast, is framed as legacy thinking, driven by fear or institutional inertia. In practice, the reality is far more nuanced. I’ve worked on services where cloud adoption unlocked genuine transformation. I’ve also seen cloud solutions introduce new risks, new costs, and new operational burdens that were poorly understood at the point of decision.

What concerns me most is not which option teams choose, but how they make that choice. Too often, decisions are driven by assumptions, policy interpretations, or vendor narratives rather than by a clear understanding of user needs, service context, and operational constraints. This is where good digital delivery either accelerates or quietly unravels.

From a business analysis and service design perspective, infrastructure choices are not abstract technical decisions. They shape how services operate, how secure they are, how resilient they become, and how much effort is required to keep them running. In government, where public trust and accountability are central, these trade-offs matter.

This article reflects on cloud versus on-premise through three practical lenses I’ve encountered repeatedly: security, cost, and operational efficiency. It’s not an argument for one over the other. It’s a call for clearer thinking, better questions, and more informed decisions.

Security: perceived risk versus real responsibility

Security is usually the first argument raised in any cloud discussion — and often the most emotionally charged. In government, this is understandable. We deal with sensitive data, critical services, and systems that cannot fail quietly. Cloud platforms are sometimes viewed as inherently risky, simply because data is no longer physically “owned” or housed in a government-controlled environment.

In practice, the security conversation is often misdirected. Cloud platforms provided by major suppliers are, in many cases, more secure than legacy on-premise estates. They benefit from dedicated security teams, continuous patching, and sophisticated monitoring that most public sector organisations could not replicate cost-effectively on their own. I’ve seen cloud environments withstand attack patterns that would have overwhelmed older data centres.

The issue is not whether cloud can be secure. It is whether we understand our responsibilities within it. One of the most common gaps I encounter is a lack of clarity around shared responsibility models. Teams assume security has been “taken care of” by moving to the cloud, only to discover later that configuration, access control, data handling, and monitoring remain firmly their responsibility.

On-premise environments create a different illusion. Because infrastructure is physically controlled, teams often feel more secure. Yet I’ve encountered on-premise systems running on unsupported operating systems, with patching schedules that rely on fragile manual processes. The risk is simply more familiar — and therefore less visible.

From a practitioner’s point of view, the most effective security decisions I’ve seen are rooted in service understanding rather than platform preference. When teams clearly articulate what data they hold, who needs access, how services fail, and how incidents are managed, the infrastructure conversation becomes more grounded. Security stops being a binary debate and becomes a design constraint like any other.

Business analysts and service designers play a crucial role here. By mapping data flows, identifying user roles, and exploring failure scenarios, they help security discussions move beyond fear and assumption. This work often reveals that the real risks are organisational — unclear ownership, weak governance, or poor operational readiness — rather than technical.

Cost: shifting spend does not always reduce it

Cloud is frequently sold on the promise of cost reduction. Pay-as-you-go pricing, elastic scaling, and reduced capital expenditure all sound attractive, particularly in a public sector environment under constant financial pressure. In theory, cloud aligns well with the need to spend wisely and transparently.

In practice, cost is one of the areas where expectations and reality diverge most sharply. I’ve seen programmes move to cloud with the assumption that savings would naturally follow, only to struggle later with rising operational costs that were not fully anticipated. Consumption-based pricing rewards discipline and active management. Without it, spend can quietly escalate.

On-premise costs, by contrast, are often front-loaded and highly visible. Hardware procurement, data centre contracts, and maintenance agreements make the investment explicit. While this can feel restrictive, it also creates a natural ceiling on spend. Cloud environments, if left unchecked, do not offer the same friction.

The most effective cost decisions I’ve observed start with honest questions about service longevity and usage patterns. Is this a service with highly variable demand, where scaling up and down genuinely matters? Or is usage relatively stable, making long-term infrastructure more predictable? Are we building something experimental, or something that will need to operate reliably for a decade?

These questions are rarely asked early enough. Too often, cost modelling is treated as a procurement exercise rather than a service design activity. When business analysts are involved early, they can help teams understand demand patterns, user volumes, and operational behaviours. This enables more realistic cost forecasts and avoids decisions based purely on headline pricing.

Importantly, cost should not be separated from capability. Cloud platforms often reduce the need for specialist infrastructure skills, shifting focus towards service management and automation. On-premise environments may require deeper technical expertise but offer greater control. Neither is free. The real question is which cost model aligns best with the organisation’s maturity and delivery model.

Operational efficiency: where theory meets reality

Operational efficiency is where infrastructure decisions truly reveal themselves. It’s one thing to design a service that meets user needs at launch. It’s another to operate it sustainably over time, through policy change, demand spikes, and inevitable incidents.

Cloud environments can offer powerful advantages here. Automation, resilience patterns, and managed services can reduce operational burden significantly. I’ve seen teams recover from failures in minutes rather than hours because the platform supported rapid recovery by design. For services that need to evolve quickly, this flexibility can be transformative.

However, these benefits are not automatic. They depend on teams adopting new ways of working. Cloud-based services reward automation, monitoring, and continuous improvement. When organisations lift and shift legacy operating models into the cloud, they often lose the benefits while retaining the complexity. Operational efficiency suffers, and confidence in the platform erodes.

On-premise systems, while often slower to change, can align well with established operational models. For organisations with strong infrastructure teams and mature processes, this stability can be an asset. The challenge arises when services need to adapt quickly and existing processes cannot keep pace.

From a service design perspective, operational efficiency should be considered part of the user journey — just one step removed. If a service cannot be supported easily, users will feel it through outages, delays, or degraded performance. Decisions made at infrastructure level have direct consequences for citizen experience.

This is where cross-disciplinary collaboration matters most. I’ve seen strong outcomes when delivery teams bring operations, security, and policy colleagues into early design discussions. Mapping operational scenarios alongside user journeys helps reveal which infrastructure choices will support — or constrain — the service over time.

Governance, policy, and the reality of choice

One of the most challenging aspects of the cloud versus on-premise debate in government is the perception that there is always a “right” answer dictated by policy. Cloud-first strategies have been valuable in shifting thinking and encouraging modernisation. But I’ve also seen them interpreted too rigidly, limiting genuine exploration of alternatives.

In reality, policy rarely removes the need for judgement. Most guidance allows for exceptions where justified, particularly around security, resilience, or legacy integration. The difficulty is that teams often lack the confidence or evidence to articulate those justifications clearly.

This is where practitioner insight becomes essential. Business analysts are well placed to translate between policy intent and delivery reality. By framing infrastructure decisions in terms of service outcomes, risks, and mitigations, they help leaders make defensible choices rather than default ones.

Service designers, meanwhile, help ensure that decisions remain anchored in user needs. When infrastructure discussions drift into abstract debates, reconnecting them to service impact can be a powerful corrective. The question shifts from “Is cloud allowed?” to “What enables this service to succeed safely and sustainably?”

Final thoughts: choosing with intent, not assumption

Cloud versus on-premise is not a battle to be won. It is a decision to be made — carefully, contextually, and with a clear understanding of trade-offs. In government digital services, the cost of getting it wrong is rarely immediate, but it is often enduring.

What I’ve learned through delivery is that the strongest decisions emerge when teams slow down just enough to ask better questions. Not “What is the modern choice?” but “What does this service truly need to thrive?” Not “What do others expect us to choose?” but “What can we operate well, securely, and sustainably?”

As practitioners, we have a responsibility to bring clarity to these conversations. By grounding decisions in service context, user needs, and operational reality, we help leaders move beyond assumptions and towards informed judgement.

The question I would leave you with is this: if you were accountable for running this service five years from now, which choice would you feel most confident defending — and why?

That answer is often more revealing than any policy document or vendor pitch.