They send sensitive data to cloud, even if they don't trust security
Nearly two-thirds of IT managers whose organizations have or plan to move sensitive data to the cloud hold their service providers responsible for protecting their data, according to a global survey.
Yet, a similar number say they have little or no knowledge about how their providers actually protect that data and nearly 40 percent say they think the cloud has weakened security, according to the study Encryption in the Cloud conducted by the Ponemon Institute for Thales Security.
The findings are significant in explaining where data encryption is applied inside and outside the cloud and, most important, who manages the associated encryption keys.
Moving data to the cloud? Don’t forget about security.
NIST tackles security, privacy issues in cloud computing
The study examines some of the more practical aspects of encryption deployment, and specifically addresses questions about whether organizations apply encryption themselves before data leaves the organization’s environment or whether encryption is expected to be a component of the cloud services they use.
More than 4,000 business and IT managers were surveyed in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil Thirteen percent of the respondents are in public-sector organizations, including central and local governments. Sixteen percent are in financial services, which include banking, investment management, insurance, brokerage, payments and credit cards.
In the case of cloud-based encryption, the report considers the role of encryption for protecting stored data as well as application-based encryption, which typically applies protection more selectively, potentially protecting individual data items.
Some of the key findings include:
• Thirty-nine percent of respondents believe cloud adoption has decreased their organizations’ security posture. However, 44 percent of respondents believe the adoption of cloud services has neither increased nor decreased security. Only 10 percent of respondents believe the move to the cloud has increased their organization’s security posture.
• Where is data encryption applied? There is almost an even split between respondents who say their organization applies persistent encryption to data before it is transferred to the cloud provider and those who say they rely on encryption that is applied within the cloud environment.
• Who manages the encryption keys when data is transferred to the cloud? Thirty-six percent of respondents say their organization has primary responsibility for managing the keys. Twenty-two percent say the cloud provider has primary responsibility. Even in cases where encryption is performed inside the enterprise, more than half of respondents hand over control of the keys to the cloud provider, the report says.
• In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51 percent) compared with only 32 percent of respondents who consider their own organization to be primarily responsible for protecting data and report confidence in their abilities to do so.
“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though 39 percent admit that their security posture has been reduced as a result,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
“This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns,” he said.
However, the organizations that have a strong overall security posture appear to be more likely to transfer this class of information to the cloud environment, Ponemon said, adding that's possibly because they most understand how and where to use tools such as encryption to protect their data and retain control.