Study: Cloud use growing among organizations, but security lags behind

April 29, 2014
IT security expert says many organizations still reluctant to use encryption technology

According to the third annual “Encryption in the Cloud” study conducted by the Ponemon Institute and commissioned by IT security firm Thales, more and more organizations are now transferring sensitive or confidential information using public cloud services; however, many are still not taking the steps necessary to ensure that information is adequately protected.

The results of the study, which were released on Tuesday and included responses from more than 4,000 organizations around the world, found that more than half of all respondents were already transferring sensitive data to the cloud. Only 11 percent of respondents indicated that their companies have no plans to use the cloud for sensitive operations, down from 19 percent only two years ago.   

However, despite all of the media attention surrounding high-profile data breaches, half of respondents admitted that their sensitive data goes unprotected when it is stored in the cloud. Additionally, while nearly half of the organizations surveyed believe that their use of the cloud has had no impact on their overall security posture, 34 percent said they believed it actually had a negative effect on their security posture, compared to just 17 percent who felt it had a positive effect.

“It seems the visibility of cloud security is increasing, that (organizations) are taking ownership for the data that’s in the cloud, but there is still a long way to go,” said Richard Moulds, vice president of strategy for Thales e-Security. “Still half of the respondents said that they didn’t really have any idea what the cloud provider was doing to (improve) security. Even more people seem to be transferring sensitive data to the cloud even though they know it reduces their security posture. And this year, people basically said that half of sensitive data in the cloud is unprotected.”

When it comes to closing the gaps that still exist in protecting information stored in the cloud, Moulds believes cloud providers will begin to more vigorously promote the security safeguards they offer and that it could even become a differentiator for them in the future.

“At some point, we’ll get to the stage where most of the systems and data that doesn’t require a great deal of security will have already gone to the cloud. If cloud providers are going to carry on seeing growth, then they’re going to have to convince people to move their more sensitive and more valuable applications into the cloud and, at some point, that’s going to rely on the cloud providers actually articulating what security models they adopt,” explained Moulds.

Moulds believes the answer to this problem will involve industry bodies such as the Cloud Security Alliance developing language and concepts that describe cloud security to an enterprise.

“We sometimes incorrectly draw parallels to cloud security and enterprise security when really, if you think about it, the security issues that a cloud provider faces are quite different from the issues that an enterprise faces. Even a well-seasoned IT guy from a bank might now very well how to secure his own infrastructure, but he’s probably not very aware of the different security challenges a cloud provider, specifically a public cloud provider, might face,” Moulds added. “I think we’ve got sort of a dichotomy; there’s not really a very good language or terminology for cloud providers to articulate their security proposition to cloud consumers and I don’t think, necessarily, cloud consumers are in a great place to even judge whether a cloud provider is using good (security measures) because they only know the challenges they face.”

One of the biggest problems when it comes to protecting data stored in the cloud is that there still seems to a lot of confusion surrounding which party is responsible for securing it, which the study found to be dependent upon the type of cloud service in question. In Software-as-a-Service (SaaS) applications, more than half of the survey respondents felt that that the cloud provider was primarily responsible for security, whereas nearly half of Infrastructure-as-a-Service (IaaS) users viewed security as a shared responsibility between the two.

“I think there is a perception that perhaps if you outsource systems to the cloud then somehow the cloud provider is responsible. Sure, the cloud provider has some responsibility to do the right thing… but at the end of the day, the data is entrusted to the enterprise by its customers,” explained Moulds. “And if the enterprise decides to use a cloud service then that’s their decision, and if that data gets lost then, at the end of the day, the customers are going to blame the enterprise, not the cloud. The auditors, from a compliance point of view, are going to blame the enterprise as well.”

While encryption of data would seem like a logical solution to the cloud security dilemma, Moulds said that it is still a “fairly scary technology” to a lot of people, although organizations in some sectors such as the government and banking industry are quite familiar with it.

“I think there’s still a lot of industries out there and a lot of users out there, particularly mid-sized companies and smaller companies, that just aren’t very familiar with the technology,” said Moulds. “News stories like the Heartbleed story last week starts to make people second guess whether encryption is even worth the effort. There were a lot of stories last week about encryption being broken, keys being stolen and having huge ripple effects across hundreds of thousands of websites. It’s not unreasonable for some people to sit there and think, ‘hey this technology is not ready for primetime yet and it’s more trouble than it’s worth,’ which is wrong. Encryption is a mature technology and it is getting easier to deploy.”

For those that do choose to encrypt their sensitive data before it is sent to the cloud, Moulds said that organizations need to make sure that their encryption keys remain in-house and are not given to the cloud provider.

“As we mature our thinking a little bit, people are starting to draw the distinction between encrypting data and the keys that they will use to do the encryption,” he said. “Encryption is the mathematical process of converting data into encrypted text. The secret behind all of that is the encryption key just like the lock on your door at home. How that lock works is not a secret. What’s the secret is shape of the key in your pocket and I think one of the reasons why Heartbleed got so much attention is not only did it allow encryption to be reversed, but it also provided a path for stealing keys out of a server’s memory space. It was sort of a bit of a wakeup call to people in that it showed the value of stealing the keys and therefore the importance of keeping hold of those keys and not handing them over to your service provider.”