Study: Organizations becoming more comfortable with the cloud

July 11, 2013
Questions still remain about cloud security practices

Organizations around the world are increasingly becoming more comfortable with transferring sensitive data to the cloud, according to the results of a new study. Commissioned by UK-based defense and security technology provider Thales and conducted by the Ponemon Institute, the “2012 Global Trends in Cloud Encryption” study examined the cloud perceptions and practices of more than 4,000 organizations in seven countries. Despite this increased comfort level, many companies still have reservations about the security of the cloud and some are still uncertain about who exactly is responsible for the security of data stored in the cloud.

According to the survey, more than half of all respondents say their organization currently transfers sensitive or confidential data to the cloud – an increase of about 10 percent over last year’s study. However, more than twice as many respondents say use of the cloud has decreased their security posture (35 percent) than say it has increased (15 percent). That’s still an improvement over last year’s study in which 39 percent of respondents said that cloud adoption had decreased their security posture while only 10 percent said it had increased.

This paradox between how organizations are using the cloud and how they feel about the security of it is really one of the “conundrums” of the study, says Richard Moulds, vice president of strategy for Thales e-Security, Thales’ cybersecurity business unit.

“Overall, the report has a positive message in the sense that more people are using the cloud (for sensitive data). So, the good news is usage is increasing, levels of confidence are increasing compared to last year… but the bad news is level of visibility, in terms of what security measures actually exist in the cloud, are still quite low and people, in general, feel it has weakened their security posture,” says Moulds. “The overall good news is that people feel more secure, the number of people who say it has weakened their security posture has gone down, and the portion of respondents who say their security posture has actually gone up as a result of putting sensitive data in the cloud has increased. In my mind, the trend areas are all pointing in the right direction, but there still are some underlying concerns.”

One of these underlying concerns is the confusion that still exists among many end users about who is responsible for securing data in the cloud. According to the study, more than 60 percent of respondents whose organizations currently transfer sensitive or confidential data to the cloud believe the cloud provider has primary responsibility for protecting that data and 22 percent believed the cloud consumer to be responsible. Moulds said responses to this question vary depending on whether or not the organization that took part in the study is actually leveraging cloud services or not.

“If you ask the people that are using the cloud for sensitive data, then overwhelmingly they say it is the cloud provider who is responsible by a factor of nearly three compared to the people who think the cloud consumer is responsible. But when you ask people that are not transferring sensitive data to the cloud, presumably because they’re concerned about security, then the majority say it is the cloud consumer that is responsible,” says Moulds.

 Moulds attributes the fact that organizations are now more willing to use the cloud for sensitive data to a combination of factors including increased efforts on the part of cloud providers to educate end users about the security measures they have in place.

“I think the fact we’ve done reasonably well in terms of not having the newspaper be full of stories about cloud breaches is probably quite helpful. I think industry associations like the Cloud Security Alliance have done good work in terms of generally increasing awareness of the fact that the cloud might not be as scary as you think it is,” he says. “There’s a better level of understanding as to what measures are taken in the cloud and I think these days some people are prepared to accept that the cloud may be more secure than doing some of these things themselves in their own enterprises. A lot of companies have come to the conclusion that cloud providers probably do a better job of managing firewalls, software patching, default passwords, and performing intrusion detection and network attack-type things.”       

This year’s study did indicate a marked increase in confidence among respondents in the ability of cloud providers to protect sensitive and confidential data – up from 41 percent in 2011 to 56 percent in 2012. That being said, there still seems to be a bit of confusion about what exactly cloud providers are doing to protect data as just over half of respondents said they don’t know what their cloud provider actually does to protect their data and only 30 percent say they do know. Last year, 62 percent of respondents said they didn’t know what measures their cloud provider took to protect their data.

“There still seems to be a woeful lack of knowledge about what actually goes on in the cloud and yet, more than 50 percent of people say they are transferring data through it,” Moulds added.

Moulds believes in the future that encryption will migrate from being done prior to the transfer of data to the cloud to being done dynamically inside the cloud itself. However, he said that as that shift is made, organizations will still have to remain vigilant when it comes to key management.

“Two years ago, if a cloud provider said they that they were encrypting data, I think that was deemed to be good, even if the cloud provider actually controlled the keys,” Moulds explained. “Now, analysts are coming out with sort of formal best practices saying if you’re going to use encryption in the cloud then make sure cloud providers don’t get access to the key. Otherwise, you’re in a poacher and game keeper-type of situation. Do you really trust the cloud providers, or at least the employees of the cloud provider not to access these keys and unlock your data? I think there is a notion that encryption should be in the cloud, the keys should be managed by the enterprise and only released to the cloud on a need-to-use basis.”