There are many horror stories concerning IT security, which I think are overrated. All systems have security risks. Even the most basic method of double locking valuable documents in an expensive safe is not absolutely safe. Safes could be breached; locked offices could be broken in; documents could be lost in transit; officers could be careless. When information is digitized and stored on computers, the security risks just change emphasis. They are not more vulnerable nor safer. But paperless documents present a different perception. Some say you cannot steal when there is nothing to hold; but some say you do not even know it is stolen because there is nothing to hold. The bottom line is, major corporations, financial institutions and government agencies now all store their valuable information on computers. We could believe that reasonable and adequate protection are in place to avoid foreseeable security risks.
When valuable data are in the cloud, security considerations go one step further. The fact that the data are stored outside the office in the cloud, and accessed through external connection does raise concern. News of IT security breaching are often seen in the media, thus giving an impression that it is less safe. The truth is that online business transactions, especially financial transactions, are now very common. All banks are pushing very hard for online account management by users. Online purchasing and bill settlement is a booming business. Thus among the billions of transactions, the rate of security breaching is very low, much lower than road accidents and other crimes.
There are three main sources of IT security breaches. The first is a deliberate attack by criminals or hackers, like breaking in. The second is erroneous setting of IT procedures leading to data loss, like forgetting to lock the door. The third is information leakage by workers, either through carelessness or malicious actions. All these are still valid with cloud computing.
I would say that cloud computing could simplify much work for managers on hardware and software. However, it presents additional security risks which the managers should focus their attention. For outside attacks, managers could rely on the security of the cloud as the first line of defense. The security of the servers is the responsibility of the cloud operators. Managers could assume that state-of-the-art defense is deployed. There have been talks that security measures by the cloud operators alone is not sufficient. Additional security could be obtained by restricting access to the cloud through another cloud to prevent skillful intruders. I think this level of defense is for the top secret data, and may not be feasible for every system. Just rest assured the cloud could do its job properly.
Additional risks are in data transmission and reception. Security measures such as virtual private network and data encryption could be implemented according to the sensitivity of information. These may have to be specifically ordered. At the user end, computers are vulnerable to be attacked by hackers, or by malicious software rampant in the Internet. The standard protection is the IT security protection programs widely available in the market. Make sure that they are completely and actively installed, with instantaneous automatic updating. On user accounts, there is the issue of identity verification and local storage security. The standard gateway is the user name plus a password. Additional verification could be implemented through multi-factor authentication. In the past, security cards and digital tokens are used to identify an officer. These are now thought of as presenting only a false sense of security as they are easily lost or stolen. Furthermore, they present additional headache for managers in their issuing, replacing and maintaining. Recently, more popular methods are additional password with random digits and security secret questions and answers. The OCGIO Government Public Cloud Service GPCS bulk purchasing contract includes all these additional security services. They could be purchased as SaaS.
On the person level, managers are required to nurture the mindset and behaviour of officers on the vigilance of IT risks. On the technical side, software is available for monitoring staff behaviour on the Internet such as browsing habits and files download restriction. On the human side, it is more a human resource management subject than an IT management subject. IT security awareness and conscience could be promoted through training, staff management and staff relations.