As IT focuses on refined encryption and identity management systems, it may be missing a big vulnerability: users While it’s been obvious to me for a long time, those moving to the cloud are coming to grips with the fact that the most considerable threat to cloud computing security is not from hackers sitting thousands of miles away, it’s from the people in the office next door. This article on Bnet agrees:Once upon a time the world of computer security was divided into two zones, inside and outside, but the shift to cloud computing changed that. “How do you design a resilient security system when the source of the attacks are most likely people inside the system?” says Roger Grimes, a 20-year veteran of the security industry [and Security Adviser columnist at InfoWorld.com]. “How do you educate users to make sure they don’t accidentally let an intruder in?”Nothing really changes. Back in the day, I was asked to do penetration testing for a large minicomputer manufacturer. While password-guessing programs worked from time to time, the easiest way into the system was to call a user and ask for his or her user ID and password. We succeeded about one out of three times.While there is certainly more education around these days and most people won’t provide user IDs and passwords on the phone, this little trick still works. Try emailing everyone in the company and asking for the user ID and passwords for your cloud computing provider, perhaps talking about a “critical software upgrade.” You’ll still get one or two people to respond before corporate security is alerted. That’s all it takes. However, it’s not just phishing attacks that can work around a tight security system. As Google found out with the “China attacks,” those users who forgot to update Microsoft Internet Explorer provided a nice on-ramp into their mail system from the outside world, as well as exploited vulnerabilities within PDF files. Also, those who log into their office PCs remotely provide a nice point of access, as do mobile computing devices that are frequently stolen or lost.There is no magic to solving this problem; indeed, you can’t settle this issue entirely. However, you should consider a few items:End-user education goes a long way. Those on cloud systems should be constantly reminded to not provide user names and passwords to anyone, under any circumstances.Force software updates. You’d be surprised at how many old versions of IE are running within your firewall, not to mention how many instances don’t have security patches applied.Work with your cloud computing provider. Typically, there are mechanisms in place to spot out-of-the-ordinary activities. Use them.This article, “Users are the largest cloud computing security threat,” originally appeared at InfoWorld.com. Read more of David Linthicum’s Cloud Computing blog and follow the latest developments in cloud computing at InfoWorld.com. Cloud ComputingSecurity