The Ponemon Institute published a study on the global use of encryption of sensitive data by users in the cloud. Beyond the results, the document also provides an interesting perspective on the perception of cloud and security by companies from different countries.
The study conducted by Ponemon Institute in association with computer security specialist Thales and entitled “Encryption in the Cloud” was conducted among 4,000 IT and business leaders in the U.S., UK, Germany, France, Australia, Japan and Brazil just shown that over 50 percent of respondents felt they have sensitive data stored in the cloud.
The study examines the perceptions that companies have threats and challenges surrounding the issue of protecting sensitive and confidential data in the cloud, and the practices currently adopted in this regard. The study also offers a good light on where data encryption should reside – inside or outside the cloud, and it also asking the crucial question of who manages the associated encryption keys.
According to the report, nearly 64 percent respondents think that cloud providers have the responsibility for protecting their data, but two-thirds say that they are not aware what cloud providers are actually doing to protect confidential and sensitive data commended to them.
Another third of respondents said they are studying the possibility of spending critical or sensitive data in the cloud in the coming months. These points to the increasing share of firms that now trust the cloud. Moreover, 39 percent of companies admit to having lowered their security requirements following a decision to transfer data in the cloud, highlighting that the economic benefits of cloud are seen as paramount.
“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though 39 percent admit that their security posture has been reduced as a result, Larry Ponemon, chairman and founder of the Ponemon Institute, said in a press statement. “This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns.”
“However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment—possibly because they most understand how and where to use tools such as encryption to protect their data and retain control,” Ponemon said.
The survey addresses the most important aspect of control of encryption keys. In this regard, 36 percent of respondents felt that their organization must have control, while 22 percent believe it should be entrusted to the cloud provider. Of these, over half felt that this must be the case even when encryption is performed within the company. It was also found that organizations with high security requirements are more likely to use a cloud environment for working with sensitive data.
“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data,” said Richard Moulds, vice president of strategy at Thales e-Security. “However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately.”
“Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data,” Moulds said.
If more and more companies are sending sensitive data in the clouds, this does not mean they have no protection. An unspecified number of firms directly encrypt data before sending it. The same proportion of firms performing this operation once the data is moved into the cloud.
