“I think the fact we’ve done reasonably well in terms of not having the newspaper be full of stories about cloud breaches is probably quite helpful. I think industry associations like the Cloud Security Alliance have done good work in terms of generally increasing awareness of the fact that the cloud might not be as scary as you think it is,” he says. “There’s a better level of understanding as to what measures are taken in the cloud and I think these days some people are prepared to accept that the cloud may be more secure than doing some of these things themselves in their own enterprises. A lot of companies have come to the conclusion that cloud providers probably do a better job of managing firewalls, software patching, default passwords, and performing intrusion detection and network attack-type things.”
This year’s study did indicate a marked increase in confidence among respondents in the ability of cloud providers to protect sensitive and confidential data – up from 41 percent in 2011 to 56 percent in 2012. That being said, there still seems to be a bit of confusion about what exactly cloud providers are doing to protect data as just over half of respondents said they don’t know what their cloud provider actually does to protect their data and only 30 percent say they do know. Last year, 62 percent of respondents said they didn’t know what measures their cloud provider took to protect their data.
“There still seems to be a woeful lack of knowledge about what actually goes on in the cloud and yet, more than 50 percent of people say they are transferring data through it,” Moulds added.
Moulds believes in the future that encryption will migrate from being done prior to the transfer of data to the cloud to being done dynamically inside the cloud itself. However, he said that as that shift is made, organizations will still have to remain vigilant when it comes to key management.
“Two years ago, if a cloud provider said they that they were encrypting data, I think that was deemed to be good, even if the cloud provider actually controlled the keys,” Moulds explained. “Now, analysts are coming out with sort of formal best practices saying if you’re going to use encryption in the cloud then make sure cloud providers don’t get access to the key. Otherwise, you’re in a poacher and game keeper-type of situation. Do you really trust the cloud providers, or at least the employees of the cloud provider not to access these keys and unlock your data? I think there is a notion that encryption should be in the cloud, the keys should be managed by the enterprise and only released to the cloud on a need-to-use basis.”