Economics deep-dive
The repatriation case for security data.
That companies are moving workloads back from the cloud to on-prem to save money is, by now, well-covered ground, and I am not going to pretend to have discovered it. What I think is underargued is the narrower claim that sits inside the macro: security telemetry is close to the single best-suited workload to bring home, because it is steady-state, written far more than it is read, retained for years by regulation, and increasingly bound by where the data is allowed to live, which is exactly the profile cloud's pay-for-elasticity pricing overcharges. The cheap, correctly-specced on-prem media from the previous essay is the lever that makes the on-prem math actually close, and the sovereignty rules and a quieter staffing argument push the same direction.
Reading time: about 15 minutes. Evidence runs from Tier A (the Schrems II ruling, FedRAMP and GDPR text) through Tier B (a16z's analysis, 37signals' published numbers, the Barclays, IDC, Flexera and Citrix surveys, the ISC2 workforce study) to Tier C (egress-cost breakdowns and the salary data, flagged inline). One leg, the claim that the combined cloud-plus-security skill set is a rare and expensive pairing, is the weakest in the essay, and I argue it as directional rather than dressing it in a number it has not earned.
The macro, cited not claimed
Repatriation is real, and the numbers are someone else's.
The reference point everyone starts from is the a16z essay, Sarah Wang and Martin Casado's "The Cost of Cloud, a Trillion Dollar Paradox" (June 2021, Tier B, and worth reading with the awareness that the authors flag their own math as back-of-envelope). Their estimate was that bringing workloads back in-house ran at roughly one-third to one-half the cost of running them in public cloud at scale, that the cloud line was suppressing something like $100B of market capitalization across the fifty public software companies they looked at, and that Dropbox alone had saved on the order of $75M over two years moving the bulk of its workloads off public cloud into colocation. Their framing has aged into a cliché because it is basically right: you would be foolish not to start in the cloud, and at a certain scale and predictability you would be foolish to stay entirely on it.
The most concrete public case is 37signals, the company behind Basecamp, whose exit David Heinemeier Hansson documented in detail (2022-24, Tier A as direct company statements). They were spending about $3.2M a year on AWS, bought roughly $700K of Dell servers and $1.5M of Pure Storage to hold 18 petabytes, and brought the annual infrastructure bill down to well under a million, a realized saving in the range of $2M a year and something like $10M projected over five years, and they did it without adding headcount. I want to be careful not to over-generalize from them, because they are a mature, cash-flow-positive company with predictable workloads, which is precisely the profile repatriation favors and not every company has. But the case is real, documented, and not a vendor's slide.
The surveys say this is a movement and not two anecdotes, though they also say it is mostly partial. Barclays' CIO survey found the share of enterprise CIOs planning to repatriate at least some workloads climbing from around 43 percent in 2020 to the low-to-mid 80s by 2024; IDC put more than 70 percent of enterprises repatriating something, while noting that only 8 to 9 percent intend a full exit and that most of the motion is selective; Flexera's 2025 State of the Cloud reported about 21 percent of workloads moved back over the prior year even as net cloud spend kept growing; and Citrix's 2024 survey found a plurality of US firms moving at least half their workloads back, with unexpected security problems the most-cited driver at 41 percent (all Tier B, named firms, 2024-25). The honest synthesis is that repatriation is a real and broad selective trend, cost-and-control-led, running underneath continued net cloud growth, not a wholesale reversal.
The workload fit
Security telemetry is the workload repatriation was made for.
Cloud pricing earns its premium on elasticity, the ability to spin capacity up and down against unpredictable demand, and the corollary is that a workload with no elasticity to exploit pays the premium and gets nothing back for it. Security telemetry is almost a caricature of the no-elasticity workload. The volume is steady-state and grows predictably with the estate rather than spiking, the ingest is write-heavy and continuous, and the retention runs for years because compliance demands it, so the data lands and stays landed whether or not anyone queries it. That is the exact shape where cloud's variable, per-gigabyte, per-event, per-query metering compounds against you, and where the egress and managed-service markups stack on top: at high steady volume the egress and API charges alone can run a large fraction of the bill (CloudZero and similar cost breakdowns put it as high as 60 to 80 percent in data-intensive cases, Tier C and directional), and the EU's Data Act only begins phasing egress fees out in 2027, and only in Europe.
This is where the previous essay's lever does its work, because the objection to bringing a security lake home has always been the capital cost of the storage, and that objection is weaker than it looks once you spec the media correctly. A security lake is mostly cold, write-once, read-rarely telemetry, which means the bulk of it belongs on cheap nearline HDD or on-prem object storage at roughly $11 to $14 per terabyte, with a read-intensive NVMe tier in front of it for the hot, queryable slice rather than the over-specced write-intensive flash a configurator would push. The endurance premium a security lake never spends, and the sixteen-times capacity premium of flash over disk that the previous essay walked through, are both costs you avoid paying when you build the on-prem tier to match the workload instead of to match the spec sheet's worst case. That the endurance premium is unspent is now literature-backed rather than my assertion: the DWPD rating a drive ships with is certified under JEDEC's JESD219 enterprise workload, a deliberately pessimistic random pattern, while append-only telemetry ingest is sequential and runs at a write amplification near 1, so the rated endurance you are paying the premium for is consumed at a fraction of the spec-sheet rate (Min et al., USENIX FAST 2012, measured random in-place writes at 5.3x the amplification of sequential; Cai et al., Proc. IEEE 2018, gives endurable host writes as proportional to one over DWPD times write amplification, Tier A). The field data points the same way, with ServeTheHome's 2024 study of 1,347 used data-center SSDs finding most ran under 1 DWPD and Forward Insights putting roughly 80 percent of enterprise SSDs there, and the large fleet studies (Google FAST 2016, Facebook SIGMETRICS 2015, NetApp's 1.4-million-drive FAST 2020 work) finding drives rarely fail by wear-out at all (Tier A to B), which is the evidence the companion endurance essay walks through in full. The amortized hardware cost of correctly-specced on-prem storage against years of cloud per-gigabyte retention metering is the comparison that makes security telemetry pencil out, and it pencils out harder than a general workload because the retention horizon is so long. The one thing this does not yet settle is tier-to-tier reliability equivalence at a matched sequential load, which stays unmeasured and which I would not claim before a test (Tier D).
I will not overclaim the size of the win, because I do not have a named, sourced TCO figure specific to security telemetry repatriation, and the corpus is full of general-market storage-cost numbers that I would not launder into a security-specific one. The claim I will stand behind is structural and not numeric: of the workloads a security organization runs, the telemetry lake is the one whose cost curve most clearly favors on-prem, because every property that makes a workload a good repatriation candidate (steady volume, write-heavy, long retention, low query-to-storage ratio) is a property security telemetry has in the extreme. Putting an actual measured TCO under that structural claim is exactly the kind of first-party number the lab exists to produce.
Sovereignty
The second reason isn't about cost at all.
The cost case has a sovereignty case running alongside it, and for some organizations the sovereignty case is the one that actually forces the decision. The anchor ruling is Schrems II, the Court of Justice of the European Union's July 2020 judgment (Case C-311/18, Tier A) that invalidated the EU-US Privacy Shield on the grounds that US surveillance law did not give EU personal data protection equivalent to what the GDPR requires. The practical effect is that transferring EU personal data to US-controlled infrastructure now carries a compliance burden that many organizations resolve by keeping the data in-region, and security telemetry is thick with exactly the personal data (identities, endpoints, access events) the ruling is about. On the US side, FedRAMP High imposes a straightforward data-residency requirement, that the data stay in the United States, which pushes federal and federal-adjacent security logging toward US-controlled, sometimes on-prem, infrastructure (FedRAMP documentation, Tier A).
I want to be precise about what these rules do and do not say, because the careful version is more credible than the breathless one. None of GDPR, HIPAA, or PCI DSS 4.0 actually mandates on-prem. What they mandate is appropriate safeguards, audit trails, retention, and in the EU case a level of protection that survives transfer to a third country, and on-prem or in-country hosting is one common and often the simplest way to satisfy them, not the only way (the regulation texts, Tier A; PCI DSS 4.0 in force since March 2024 with its continuous-monitoring and retention requirements). Plenty of regulated organizations stay in cloud with encryption and contractual clauses and satisfy the auditors. The honest framing is that sovereignty rules are a push toward keeping security data on controlled infrastructure, sometimes a hard push, rather than a universal requirement to repatriate.
One operational detail decides whether that encryption costs you the architecture you came for. Encryption at rest is a requirement for regulated security data, but where you apply it matters: Parquet's own modular encryption writes the encryption into the file, and in my lab testing a file encrypted that way by one library was unreadable by DuckDB, Polars, DataFusion, and ClickHouse, which quietly undoes the multi-engine portability that is the whole point of keeping the data in an open format. The fix is mundane and worth stating: encrypt at the volume or object-store layer (SSE-S3 or SSE-KMS on the on-prem store, or dm-crypt and LUKS underneath it) so the bytes every engine reads stay portable, rather than inside the Parquet file where the encrypting engine becomes the only one that can read its own data.
There is a third path worth naming, between full repatriation and staying in the cloud with encryption, and 2026 sharpened it. Zero-copy sharing lets the data stay in a store you control while a cloud platform's compute reads it in place, so the bytes never replicate into the vendor's cloud and never cross the jurisdiction the regulator cares about. MinIO's AIStor now shares Delta and Iceberg tables to Databricks that way, and Databricks' own Genie ZeroOps runs autonomous operations against metadata-only shallow clones rather than the production tables, so it validates changes without copying or exposing the underlying data (Tier C, vendor documentation; Genie ZeroOps is private preview, so read it as a direction rather than a shipped guarantee). The pattern does not dissolve the sovereignty question, since you still have to trust where the compute runs and how it is governed, but it does separate two things the ingest-heavy SaaS model fuses: where the data lives and where it is queried. For an organization whose binding constraint is residency rather than cost, keeping the telemetry in a controlled store and letting compute reach it in place can satisfy the regulator without the full capital move home.
Where the sovereignty case and the cost case reinforce each other is that the same workload is implicated by both. The data a regulator most wants kept in a known jurisdiction with a clean audit trail (the identity, access, and endpoint telemetry that proves what happened) is the same steady-state, long-retention data whose cost curve already favors on-prem. When the workload your compliance posture wants under your own control is also the workload your finance team would most like off the cloud meter, the two arguments stop competing for the decision and start compounding it.
The talent argument, honestly
The weakest leg, argued as the weakest leg.
There is a third argument I find genuinely persuasive and cannot fully prove, so I am going to lay out what the evidence supports and where it runs out. The intuition is that running security architecture in cloud requires a person who is both a cloud-infrastructure specialist and a security architect, that this combination is rare and expensive, and that an on-prem deployment lets you staff a strong security architect without also paying the cloud-specialist premium stacked on top. The scarcity half has solid support: the ISC2 2025 Cybersecurity Workforce Study ranks cloud security as the second most-cited skills gap at about 36 percent of respondents, behind only AI, and the 2024 figure was around 30 percent, so cloud security is a persistent top-tier shortage and not a passing one (ISC2, Tier A).
The price half is where I have to be careful. The compensation data shows a real but modest premium for cloud depth: cloud security engineers and architects land roughly in the $150K to $190K range, and the uplift for deep cloud-plus-IAM expertise over on-prem-only security peers runs something like $15K to $32K, call it 8 to 16 percent on the base (Robert Half and aggregated salary data, 2025-26, Tier B, self-reported and region-dependent). That is a genuine premium, and it is not the dramatic multiplier the strong version of the argument wants. More to the point, the research does not isolate the premium for the combined skill set the way the argument needs it to. We can see that cloud security is scarce and that cloud depth pays a premium; we cannot, from public data, cleanly separate the cost of the rare cloud-and-security pairing from the cost of each skill on its own. So the strongest honest version is directional: staffing security architecture on-prem plausibly lets you hire for security depth without bidding against the cloud-specialist shortage on top of it, and that is a real operational advantage, but the size of it is something I would want to measure with hiring data before I put a number on it.
I am spending this much space on a leg I am hedging on deliberately, because the failure mode of an argument like this is to assert the combined-scarcity premium as a fact and hope nobody asks for the citation. The citation does not exist yet. What exists is a clear skills shortage, a modest measured cloud-depth premium, and a plausible structural story connecting them, and that is what I will claim, no more.
Where I land
Stronger than the generic case, and what would weaken it.
The thing I want to leave you with is that the repatriation case for security data is stronger than the generic repatriation case, and it is stronger for a specific reason: three independent arguments point the same way at the same workload. The cost curve favors on-prem because security telemetry is the steady, write-heavy, long-retention profile cloud overcharges, and the previous essay's correctly-specced cheap media is what closes the capital-cost objection. The sovereignty rules push the same data toward controlled, often in-country infrastructure. And the staffing argument, hedged as it is, leans the same direction. When the cost case, the compliance case, and the operational case all select the same workload, that workload is where an organization should actually look first, and for a security program that workload is the telemetry lake.
I will keep the counter-weights on the record, because they are real. Most repatriation is partial, not a full exit (IDC's 8-to-9-percent full-exit figure is the number to remember), net cloud spend is still growing across the market, and the cleanest public case, 37signals, is a mature company with unusually predictable workloads, so it flatters the argument. The cloud is still the right place to start, and for bursty, elastic, or early-stage workloads it is still the right place to stay. The claim is not that on-prem wins everywhere; it is that security telemetry is the specific workload where the on-prem case is at its strongest, and that the case is strong enough to be the default starting hypothesis for that workload rather than an exotic option.
What would weaken my read: a controlled TCO study showing correctly-specced on-prem security storage does not actually beat cloud retention pricing at realistic scale, which is the first-party number I most want to produce and would publish whichever way it came out; or cloud providers pricing steady-state, long-retention security storage aggressively enough to neutralize the per-gigabyte penalty, which they could do and have not. Until one of those lands, the structural case holds, and it rests on the same lever the previous essay sharpened: get the storage media right, and a surprising amount of the cloud-versus-on-prem argument for security data resolves itself.