Cloud software, although easily accessed over the internet, was typically much more secure than desktop or server software, said security experts and software developers.
“The developer of a web app takes security seriously because they are exposed to everyone on the internet. Legacy software providers don’t take security seriously,” McLean said Richard McLean, a software developer behind the online payroll program KeyPay.
McLean pointed to an incident last year where a Gold Coast medical centre was held to ransom by Russian hackers. The hackers broke into the server remotely and encrypted the server software containing business and medical records as well as the backups. The business was told to pay $4,000 so the information would be decrypted and the medical centre could continue to operate.
Security issues with desktop accounting software included allowing logins without passwords and the widespread practice of sending data files with commercially sensitive information in unsecured email or mailing unencrypted CDs or USB keys.
Another security risk was running accounting and financial software on a laptop protected just by a system password.
“If they lose the laptop, an IT guy would take 60 seconds to reset that and have access to it,” McLean said.
An attack similar to the Gold Coast example was much less likely to happen in cloud software, McLean said. Usernames and passwords were encrypted in cloud software databases for a start.
“We all run bank-level security so any data that we perceive to be important we encrypt in our database,” McLean said. “We have an extra level of security which is the information sent between the browser to the web server is encrypted as well.”
Security experts say that because cloud software is more accessible, software developers must start with a much higher base level of security than desktop or server software.
“In the case of desktop software, it is assumed there is no protection of the data as it is just files on the local disk. The data and application are both essentially unprotected as they are directly accessible to the user,” said Adam Pointon, director of Sentinel Data Security. “There is essentially no protection to local attack.”
Once a person has control of a desktop computer – either sitting in front of it physically or by remote access over the internet – it was relatively easy to bypass password or licence controls to access the data file. Even if a person couldn’t open a desktop accounting application, for example, they could still copy the data file and examine the contents.
By comparison, cloud software sent only the data requested by the user through a remote process over which the user had no control.
“You can’t directly ask the database for data, or read the data file from disk and inspect the raw contents,” Pointon said. “Likewise you can’t control the application like you can on a locally-executing program nor access its memory space.”
Desktop applications used with remote access software such as Citrix Receiver were also more secure than desktop software alone, Pointon said. The user was prevented from tampering with the files running the application or the operating system.
The risks for online software were twofold, Pointon said. A user had to rely on the online software vendor’s security practices to be sufficiently high enough to protect user data. And poor development of cloud software could expose users to greater risks than the same mistakes in desktop software.