It may be a more interesting target, but it would also be considered a much harder target. Hackers are still lazy, a lot of those with bad intentions don't even bother with anything that is considered big. Really guys, who here ever bothered to portscan the cia.gov? (protip: they'll block your connections after getting just a few ports on default settings)
IsTheCloudSafe2USE wrote:Our current system runs on our local network and is not exposed to the web, ie. no browser access, except for folks possibly downloading a something via email or browsing.
By my definition, your data is on the net. If it should be safe it should not be connected to any network connected to the internet. This means that all computers on the network that can contact it aren't connected to the net either, nor should there be a wireless access point on the same network. I understand that this is usually not effective in this day and age, thats why at the very least some very serious firewall settings should be set.(won't help though, I'll explain later)
The way a big site that uses the cloud buzzword usually works is the following:
-At the front line exposed to the internet are reverse proxy servers/load balancers. These have the ip's the users connect to, they'll then forward the connection to a server that isn't at max capacity.
-Those other servers are normally only available to those load balancers or some admins. Those servers will do all the logic required, running code, and in turn will connect to a database server(or cluster).
-The database is where your data actually lives. Again those servers aren't accessible to the net, and only to those servers.
So the places that have your data(the db/dbcluster) or the places that have the potential to access that data(those other servers, not the load balancers that users can see) are not connected directly to the net. And the local network that they are on doesn't have normal users who DO have access to the net, or who may have been infected at other points. The only entry point would be the load balancers, who very much limit where users can connect.
(note, these servers I described CAN be on the same machine though(by using VMs or jails), but from a network point of view are totally separate entities, and getting full access to one shouldn't mean full access to the other.)
The network you described is ripe for abuse. People are on there browsing, reading emails etc. There may even be laptops on there that go home on networks totally out of your control. Maybe even a poorly configured wifi router. You don't only run the risk of a targeted attack, but of accidental pwnage.
Imagine a random criminal hacker, infecting machines as usual for profit. Normally these guys run by the numbers, as in, why target 1 or 10 high value targets who may or may not have a vulnerability, when you can target 100000 people who may or may not be vulnerable. If 10% of those people are vuln, they'll have plenty of machines to scrape for useful data and use for other profitable schemes at their disposal(and often enough more people are targeted, it can take less effort than trying out 10 high value targets and the chance of success is dramatically greater).
These type of guys may already have access to some machines at your firm, but one of the downsides of working with this many machines is that you don't usually keep a close eye on them and maybe won't even bother to infect other machines they are connecting with or try to gather data in a manual way(although, almost all malware that has been news worthy DOES try to infect other machines on the network too).
If one of these guys cared to take a closer look at what he had at his disposal he may notice that he has access to all your client information if he wanted to(if he controls a machine that has access to this data, then he has access to this data). Luckily for you in most cases these guys don't care to look and are too buzzy reselling the access to the machines they have. Depending on your setup the client data has more or less chance of being accidentally discovered and used.(example: a network drive looks like a normal drive to windows, malware that gathers cc info will look there just as it would look at other partitions on the machine)
So unless if your network is locked tight, and all machines on there are super secure, all employees know how to avoid getting owned, updates are pushed as soon as they come out and a bunch of other factors. Then I'd say a service like http://www.goclio.com
is better secured.
But again, there is no guaranty, they could make mistakes too. Or worse, they could be noobs posing as professionals to make lots of money.
And another important difference here is: if you make a mistake you may be liable(or whatever, you should know those terms better then me). If that certified company makes a mistake, it (and you!) can claim they did the best they could, after all, they have a certificate that proves it.
wow.. long text is long
TL;DR; your network doesn't sound secure to me, maybe more important than security is liability when things go wrong?