Is data more vulnerable in the cloud?

With ability to lighten data storage requirements on the network, more and more organizations in recent years have started using the cloud to store sensitive information. Cloud technology has been of particular interest for security professionals, given the ability it providers end-users to shift the infrastructure costs of large-scale surveillance and access control systems onto a service provider.

Of course, one of the questions that has dogged the cloud industry for years and has perhaps slowed its adoption for some is exactly how secure is data in the cloud? Another question that frequently arises is who is responsible for securing data in the cloud?

In an attempt to shed light on the subject, the results of a new survey conducted by the Ponemon Institute on behalf of UK-based data protection solutions provider Thales e-Security were published this week. The "Encryption in the Cloud" study, which surveyed more 4,000 business and IT managers from around the world, found that 82 percent of organizations already transfer or plan to transfer sensitive or confidential data to the cloud.

However, 39 percent of respondents said they believed that cloud adoption has decreased their companies’ security posture. In addition, 64 percent of those surveyed who transfer data to the cloud believed that the cloud provider was responsible for protecting that data.

"This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control," said Ponemon Institute Chairman and Founder Larry Ponemon. "What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data."

Earlier this year, I had the opportunity to attend the SecureWorld Expo in Atlanta where information security leaders from a variety of industries came together to discuss hot topics in the industry, cloud security being chief among them.

In a session on risk and the cloud at the event, Ben Halpert, director, IT risk leader – CIT information security and risk management at McKesson Corporation, said that end-users still bear the responsibility for ensuring the security of data they transfer to the cloud. "You own 100 percent of the risk," Halpert told attendees in the session.

Obviously the threats faced by information and physical security leaders differ greatly in many regards, but a breach in either department can be just as damaging to the reputation of the organization they work for.