pie chart of who manages encryption keys for encrypted data in the cloud

Encrypting data in the cloud: Whose job is it?

A surprising one-third of organizations who are moving sensitive data to a cloud environment said it is the cloud provider’s responsibility to protect the data, according to a survey done by the Ponemon Institute for Thales e-Security.

Who manages encryption keys for encrypted data in the cloud?

29% Data owner
26% Data owner and cloud provider
23% Cloud provider
21% Third-party service
1% Other

The findings, reported in Global Trends in Cloud Encryption, show a high level of faith in providers’ ability to do this, with 57 percent of respondents either agreeing or strongly agreeing that they are capable. Despite this faith, 68 percent of respondents using the cloud encrypt their sensitive data before it leaves home, either in transit or for storage in the cloud.

Where is encryption applied to protect data in the cloud environment?

37% Data owner encrypts it in transit to cloud
31% Data owner encrypts it before sending to the cloud
11% Cloud provider encrypts it in the cloud
11% Data owner encrypts it in the cloud
10% Not applicable or none of the above

The study surveyed business and IT managers from 4,205 organizations in the United States, the United Kingdom, France, Australia, Japan and Brazil. The United States was the best represented country, with 938, or 22.3 percent, of the respondents. Eleven percent of respondents were public sector, including federal, state and local government.

Convenience and functionality apparently trump security in making cloud decisions. Although 53 percent of respondents now transfer sensitive data to the cloud and another 31 percent say they are likely to in the next two years, there is a significant level of concern about this trend, with 35 percent of those using the cloud now saying it has decreased their level of security. Only 15 percent feel it has increased security.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected