I work mainly in implementing salesforce for large companies, so corporate security concerns always seems to be a barrier in convincing IT folks that their app will be just fine in the cloud. I covered SOX Compliance concerns on security in a white paper on SOX Complianceand salesforce.com, but this blog post by Peter Coffee points out more detail on why you should worry about your authorized users more than cloud hackers.
Most security threats are internal. Thats not only intuitive, but its proven in studies.
An excerpt from the Dark Reading article:
Databases' Most Serious Vulnerability: Authorized Users.
"There are five common factors that lead to the compromise of database information":
- ignorance
- poor password management
- rampant account sharing
- unfettered access to data
- excessive portability of data
The entire point of the "Dont worry about SOX security"section in my whitepaper is that its EASIER to address these cited security concerns in salesforce.com than it is in your local servers. The tools are there in salesforce.com to protect your data even from your own admins, where as in most enterprises all a DBA needs is a big flash drive and some SQL knowledge to steal all of your data.
