Varonis SaaS-Only: What On-Prem and Private Cloud Customers Risk

Varonis has publicly committed to go all in on SaaS and to end support for its legacy self-hosted platform by December 31, 2026. In their own words, building their cloud data security platform “requires a level of intense focus that is not possible while maintaining a legacy, self-hosted product.”

We respectfully disagree with the idea that serious innovation in data security can only happen in a single SaaS model. Our experience with customers in mission-critical environments tells a different story. Their missions, regulations and risk appetites vary widely, so we build data security solutions that deliver the same depth of capability across on-premises, private cloud and SaaS. Instead of forcing every organization into a one-size-fits-all approach, we start with where your data must live and then design protection, deployment and control options that fit that reality.

For some organizations, a cloud-first approach might make sense. But for leaders in government, critical infrastructure, financial services and other highly regulated sectors that rely on private cloud or on-prem environments, it creates a decision they did not ask for on a timetable they did not set. When a vendor concentrates its roadmap, engineering and AI investments on a single SaaS control plane, it is reasonable to expect that most innovation will favor cloud native and SaaS use cases, even if the platform still connects to on-premises data.

If your mission requires strict data residency, controlled networks and private infrastructure, you should not have to rely on a cloud-only roadmap to protect on-prem data. Forcepoint takes a different approach. DSPM should work where your data already resides, whether that’s on-prem, in private clouds, or in public clouds.

What Varonis announced, in practical terms

Varonis has stated that:

• It is ending its legacy self-hosted data security product by December 31, 2026
• It will focus its engineering and roadmap entirely on a SaaS delivery model

The SaaS platform is positioned as protecting data “wherever it lives” across SaaS, IaaS and on-prem environments, but all new capabilities are delivered through that cloud platform.

If you run Varonis on-prem today, this effectively means:

• You must migrate to Varonis SaaS to stay fully supported
• Your DSPM will move from infrastructure you control to a vendor operated cloud
• Your risk, compliance and architecture teams must endorse that change before the deadline
• Future innovation in data discovery, classification and automated response will arrive first through a SaaS control plane that assumes a connected environment

For cloud-first enterprises, this may align with strategy. But for cloud-restricted or private cloud=only organizations, it could conflict with policy, regulator expectations or the need to treat on-prem data as a first-class focus rather than a connector into a cloud service.

Why many organizations cannot simply “go SaaS”

For many public sector and regulated leaders, “no cloud” or “private cloud only” is not simply due to stubbornness or inflexibility. It is how they keep trust with citizens, customers and stay true to their mission.

Regulatory and sovereignty limits

• Certain data types must stay inside specific jurisdictions, networks or facilities
• Moving DSPM to SaaS can introduce cross border data flows, new sub-processors and new audit obligations

Air-gapped and classified environments

• Sensitive workloads often run on networks with no internet connectivity
• A cloud-only DSPM control plane cannot operate in those environments without risky workarounds

Private cloud by design

• Some organizations have invested in tightly controlled private clouds that meet regulator and internal standards
• They want DSPM that runs inside that private cloud, not outside it

Deep integration with existing controls

• On-prem DSPM is often wired into SIEM, SOAR, identity and ticketing systems that live on restricted networks
• Recreating that integration surface around SaaS is possible but rarely trivial

For leaders in these environments, the question is not “Do we like SaaS?” but “Can we meet our obligations if our DSPM is SaaS-only?”

The hidden risks of a forced DSPM cloud migration

A vendor-driven cutover to SaaS can introduce new risks at exactly the layer where DSPM should be reducing them.

Compliance and audit disruption

• New processing locations and control planes to document and approve
• Revised DPIAs, risk registers and contracts to satisfy regulators and key partners
• Misalignment between vendor EOL dates and multi-year compliance cycles

Migration blind spots

• Periods where both on-prem and SaaS deployments run in parallel with inconsistent policies
• Repositories that are slow to move and may fall outside consistent coverage
• Temporary exceptions that quietly become permanent exposures

Budget and capacity surprises

• Unplanned internal projects to replatform DSPM while other critical initiatives wait
• New subscription, storage and egress costs that were not in the original on-prem business case

For leaders, the concern is not only the target state, but the operational risk created in getting there.

A different philosophy: DSPM should fit your environment

Forcepoint approaches DSPM from the opposite direction. Instead of assuming everything can move to a vendor cloud, it starts with the reality that the most sensitive data often lives on-prem or in private infrastructure and that security controls must follow that reality.

Deployment choice built into Forcepoint DSPM

• On-prem DSPM that runs inside customer owned environments, including air gapped and disconnected networks
• Private cloud DSPM where software runs in your IaaS or private cloud under your governance
• SaaS options where appropriate, without forcing every workload into one model

Consistent capabilities across models

• Continuous discovery of structured and unstructured data across on-prem, private cloud and cloud sources
• AI-powered classification tuned to your specific data and policies
• Risk scoring and guided remediation that look and behave the same whether DSPM runs on-prem, in your private cloud or as SaaS

Control over data and telemetry

• You define where DSPM data is processed and stored
• You keep control of logs, encryption and keys so data residency and sovereignty remain under your policies

Our model is designed for leaders who cannot outsource accountability for sensitive data location and handling to a cloud first roadmap.

For Varonis customers who cannot move fully to SaaS

If you run Varonis on-prem today and operate with no cloud or private cloud only policies, you are not alone. Many federal programs, central banks, regulators, utilities and critical infrastructure operators are in the same position.

Your decision likely comes down to two broad paths:

1. Accept the Varonis SaaS-only roadmap

• Remain with the same vendor and prepare to move DSPM into their SaaS platform
• Rely on a cloud-first roadmap for future enhancements, even if your highest value data remains on-prem

2. Reassess your DSPM strategy

• Evaluate on-prem DSPM and private cloud DSPM alternatives that align with your constraints
• Look for platforms that commit to long term support and innovation for customer-controlled deployments, not just maintenance

Forcepoint can support this evaluation in practical ways:

• Run a free data risk assessment that shows where your most sensitive data resides and how it is exposed today
• Pilot Forcepoint DSPM in an on-prem or private-cloud environment that mirrors your constraints
• Compare visibility, classification quality and remediation workflows without moving your highest risk data into a vendor operated SaaS platform

For leaders, this is an opportunity to choose a direction that aligns with mission and regulation, not just vendor strategy.

Your regulations, your mission, your choice

Varonis has made a clear strategic choice to be SaaS -only and set an end date for its self-hosted platform. For some organizations, that will fit their cloud-first plans. For cloud-resistant and private cloud-only environments that protect the most sensitive data in-house, it may not.

When a vendor goes all in on SaaS, both innovation and investment naturally concentrate there. Forcepoint believes DSPM should protect data wherever your mission and regulators require it to live and should continue to innovate for those environments, not treat on-prem and private cloud as an afterthought.

If you are rethinking your path forward, now is the moment to explore Forcepoint DSPM to keep control in your hands and sensitive data exactly where it belongs.