The task of maintaining information security is one that combines technology, management, and even international agreements in a volatile stew of complex and dynamic challenges. The best back doors into a system are usually opened by that system’s own applications and their configuration options, used in ways that are typical but less than robust.

Most information theft or leakage is the result of either carelessness or malfeasance by people who had all the privileges they needed to come in the front door of the system. The typical IT environment paves a path of least resistance for data to go out to the edge of the network. A software-as-a-service environment actually makes it much easier to manage privileges and monitor data use in very specific ways, while actually improving users’ access to data from any networked device and ensuring that everyone sees the same information at the same time. That's why it's so vexing to find myself explaining, over and over again, that the conscientious administration of information security is far more important than the physical relocation of data to a service provider's systems.

The cost of staying abreast of security developments is probably more than ought to be borne by all but the largest corporations. Sharing that cost across tens of thousands of served organizations with millions of individual subscribers, all on the same multi-tenant platform, can be a much better way to go. That's why I’ve written a white paper on the myths and the realities of security in the multi-tenant, on-demand environment of Software as a Service and Platform as a Service. I've also summarized key points in a three-minute video: I hope you’ll find these to be useful resources in weighing security's realities against widespread misperceptions.