According to the third annual “Encryption in the Cloud” study conducted by the Ponemon Institute and commissioned by IT security firm Thales, more and more organizations are now transferring sensitive or confidential information using public cloud services; however, many are still not taking the steps necessary to ensure that information is adequately protected.
The results of the study, which were released on Tuesday and included responses from more than 4,000 organizations around the world, found that more than half of all respondents were already transferring sensitive data to the cloud. Only 11 percent of respondents indicated that their companies have no plans to use the cloud for sensitive operations, down from 19 percent only two years ago.
However, despite all of the media attention surrounding high-profile data breaches, half of respondents admitted that their sensitive data goes unprotected when it is stored in the cloud. Additionally, while nearly half of the organizations surveyed believe that their use of the cloud has had no impact on their overall security posture, 34 percent said they believed it actually had a negative effect on their security posture, compared to just 17 percent who felt it had a positive effect.
“It seems the visibility of cloud security is increasing, that (organizations) are taking ownership for the data that’s in the cloud, but there is still a long way to go,” said Richard Moulds, vice president of strategy for Thales e-Security. “Still half of the respondents said that they didn’t really have any idea what the cloud provider was doing to (improve) security. Even more people seem to be transferring sensitive data to the cloud even though they know it reduces their security posture. And this year, people basically said that half of sensitive data in the cloud is unprotected.”
When it comes to closing the gaps that still exist in protecting information stored in the cloud, Moulds believes cloud providers will begin to more vigorously promote the security safeguards they offer and that it could even become a differentiator for them in the future.
“At some point, we’ll get to the stage where most of the systems and data that doesn’t require a great deal of security will have already gone to the cloud. If cloud providers are going to carry on seeing growth, then they’re going to have to convince people to move their more sensitive and more valuable applications into the cloud and, at some point, that’s going to rely on the cloud providers actually articulating what security models they adopt,” explained Moulds.
Moulds believes the answer to this problem will involve industry bodies such as the Cloud Security Alliance developing language and concepts that describe cloud security to an enterprise.
“We sometimes incorrectly draw parallels to cloud security and enterprise security when really, if you think about it, the security issues that a cloud provider faces are quite different from the issues that an enterprise faces. Even a well-seasoned IT guy from a bank might now very well how to secure his own infrastructure, but he’s probably not very aware of the different security challenges a cloud provider, specifically a public cloud provider, might face,” Moulds added. “I think we’ve got sort of a dichotomy; there’s not really a very good language or terminology for cloud providers to articulate their security proposition to cloud consumers and I don’t think, necessarily, cloud consumers are in a great place to even judge whether a cloud provider is using good (security measures) because they only know the challenges they face.”
One of the biggest problems when it comes to protecting data stored in the cloud is that there still seems to a lot of confusion surrounding which party is responsible for securing it, which the study found to be dependent upon the type of cloud service in question. In Software-as-a-Service (SaaS) applications, more than half of the survey respondents felt that that the cloud provider was primarily responsible for security, whereas nearly half of Infrastructure-as-a-Service (IaaS) users viewed security as a shared responsibility between the two.