All the possibilities I've seen mentioned apply to “Local Network” installed MIS Systems as well. If anyone within the school wants to hack the systems, they can... :)
There are many ways to make sure that cloud systems are secure, and systems are protected from attacks. Any certified (ISO/etc…) Data Centres have such securities in place anyway.
Cloud computing security - Wikipedia, the free encyclopedia
Also further security should come via MIS systems with user accounts. Like “Windows Accounts” do:
- Implement a strong password policy
- Force users to change their passwords in a given frequency (weekly/monthly/etc…)
- Lock accounts temporarily after a number of unsuccessful login attempts
- 2-level authentication
Cloud/SaaS Security is a big subject and this canít be answered fully in a single post, but with respect to:
How does this work, if the MIS is in the cloud, and all staff are using dual factor? How does the third party or automated system authenticate in a way that's dual factor?
Two factor authentication applies more for human authentication Ė it is there to reduce the risk of people disclosing their password either by writing it down, just telling someone, or the original communication of the password being intercepted.
Typically when two systems communicate (over the internet) they will not use two factor authentication for each individual communication. Two factor authentication will be used once to set up the relationship between the two services and this authentication persists indefinitely. For example:
System A contains some data, System B wants to access System A to get that data.
- The owners of System B will ask System A for a Key/Certificate/Password Ė these are typically very long in comparison to human passwords to prevent brute force attacks and because there is no human data entry constraint.
- The owners of System A will generate the key and use a some form of two factor authentication to pass that key to the owners of System B (typically encrypt the keyfile, and call the owners of System B with the encryption password)
- The owners of System A will then use the key to authenticate when using the web services that System B provide to access the data.
This model assumes that the owners of System A trust that the owners of System B are capable of storing the key securely. Generally this is a moot point Ė if they donít trust they can hold the key securely they probably donít trust them to hold the actual data securely and therefore wonít want to give them access in the first place.
On top of this key exchange, there may then also be additional credentials required to access specific areas of data within System A. So for example if System A is a cloud MIS which holds data for multiple schools, the cloud MIS provider (or the school) may provide credentials to System B in order for System B to access that particular schoolís data. This could be the school SIMS admin creating a username and password which is then provided to System B. The web services that System A provides to System B simply wonít require the second factor in the credentials to grant access (but they are requiring the key instead which has been securely delivered using two factor authentication).