Cloud-hosted vs self-hosted authorization: what changes for IAM?

TL;DR: Authorization deployment choices shape where decision data, audit logs, and policy control can live, and Cerbos argues the real split is cloud-hosted versus self-hosted control planes with the PDP always inside your environment. For regulated teams, the issue is not feature parity but jurisdiction, latency, and operational accountability.

NHIMG editorial — based on content published by Cerbos: authorization deployment models for regulated environments

Questions worth separating out

Q: How should teams decide between cloud-hosted and self-hosted authorization?

A: Start with residency, auditability, and operational capacity.

Q: When does self-hosted authorization create more risk than it removes?

A: Self-hosted creates more risk when the team cannot reliably patch, monitor, back up, and recover the control plane.

Q: What breaks when authorization decision logs leave the expected jurisdiction?

A: Auditability breaks first, followed by regulatory confidence and internal traceability.

Practitioner guidance

• Classify authorization data by residency requirement Separate policy content, decision logs, and relationship data by the jurisdictions that govern them.
• Document the control-plane ownership model Record who patches, backs up, monitors, and recovers the authorization control plane.
• Test policy rollout without application redeployments Validate that policy changes can be compiled, distributed, and rolled back independently of application releases.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

• Deployment-by-deployment implementation details for cloud-hosted, self-hosted, and air-gapped environments.
• The operational responsibilities behind policy distribution, audit logging, and environment-specific rollout choices.
• Examples of how PDPs, control planes, and logging paths behave in real production topologies.
• The practical trade-offs that affect compliance, staffing, and architecture selection.

👉 Read Cerbos' guide to authorization deployment models for regulated environments →

Cloud-hosted vs self-hosted authorization: what changes for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →