I dread those emails that go along the lines of, “We've checked a list of millions of compromised accounts and cross referenced it with people who have an XYZ account. We noticed that the email that you used to register for an XYZ account was on that list of exposed accounts.”
The latest case of such unpleasant activity was due to a serious security breach when Adobe was recently hacked. Adobe, as you may remember, has been transitioning most of its products to the cloud: Creative Suite, for example, is now part of the Adobe Creative Cloud.
Adobe Experience Manager WCM and DAM (former CQ5 product line) are also cloud-enabled (through Adobe Marketing Cloud), even if few of their licensees use it that way, yet. The former Omniture analytics platform also uses an Adobe ID as its access mechanism. So the question here really is: Can you trust vendors to keep your information secure? Is the cloud secure? What if your professional IDs for enterprise scenarios get co-mingled with large volumes of vulnerable consumer IDs for more plebian services like Photoshop? If a software giant like Adobe cannot get its act together, how can you trust a myriad of smaller cloud-based providers that litter the enterprise technology space?
What happened with Adobe is unfortunate, but not shocking. I've lost count of vendors who have gotten hacked in the recent history. Sadly, it’s become a norm of digital life. According to various sources, hackers obtained data for more than 150 million Adobe ID user accounts. Adobe admitted to only 38 million of those.
So, a few words of advice. When working in the cloud, you may need to enforce certain password practices that you apply for on-premise applications, even if your SaaS provider doesn't mandate strong passwords and regular password updates. You'll also want to work to minimize reuse of passwords across applications, and prevent people from using personal logins for professional accounts, and vice-versa. (Special shout-out to Google Apps users there...)
Of course, simply maintaining software on-premise does not guarantee any security panaceas. In the end though, with cloud applications, your vendor still bears responsibility for adequate levels of security. (Adobe, allegedly, was not “salting” their passwords.) Maybe for hosted Photoshop the stakes are lower, but for DAM or WCM in the cloud, you'll want to perform very careful diligence.