Adoption of cloud-based services is still immature in terms of security and privacy, a global survey of more than 4,000 organisations in seven countries by the Ponemon Institute has revealed.
More than half of all respondents (53%) say their organisation currently transfers sensitive or confidential data to the cloud, yet only 30% say they know how their cloud provider protects their data.
“The results are indicative of an immature state, and immaturity gives rise to wishful thinking,” said Richard Moulds, vice president strategy at Thales e-Security, which commissioned the survey.
“The proportion of organisations using the cloud for sensitive, regulated data is five times higher than most people would have guessed,” he told Computer Weekly.
Moulds said it is equally as surprising that there is a marked increase in confidence among respondents in the ability of cloud providers to protect the sensitive and confidential data entrusted to them.
“Some 56% of respondents said they were confident, up from 41% a year ago, yet the majority do not know how their cloud provider protects their data, and 35% feel their use of cloud has decreased their security posture,” he said.
Another indicator of immaturity in cloud adoption is that there is still no language to describe cloud security, nor are there any standards or certifications to show how secure a cloud service is.
The study also shows that among those organisations that are transferring sensitive or confidential data into the cloud, 33% think the cloud provider is responsible for protecting the data.
This is almost three times the number of respondents who think the responsibility lies with the cloud consumer and around four times the number who think it is a shared responsibility.
This is a matter for concern, said Moulds, as the reality is that anyone who transfers sensitive data to the cloud remains accountable, irrespective of who they think is responsible for security.
The results show that the majority of SaaS users (60%) and PaaS users (38%) view the cloud provider as most responsible for protecting sensitive or confidential data, while the majority of IaaS users (41%) view cloud users as the responsible party.
“SaaS users are renting the entire package, and even though they may be ultimately accountable for the data, in a SaaS service the cloud provider is your only real source of security,” said Moulds.
“Salesforce.com, for example, defines the access controls, they define the password and authentication methodologies, they are the ones that are protecting the data and encrypting the channels, so there is not much you can do as an enterprise other than decide if the service meets your security requirements or not,” he said.
For this reason, said Moulds, it is important that the industry develop a standard way of communicating about security so that cloud users can make informed decisions.
Conversely, it is true that in IaaS it is the cloud user that affects the security because they are the ones that are creating the applications that run in the cloud, said Moulds.
“Given the level of transparency that currently exists, you would think that people would err towards IaaS, the lower level cloud services, because at least then they have more influence over the security that is being delivered,” he said.
According to Moulds, organisations like the Cloud Security Alliance (CSA) have a pivotal role to play in identifying key security requirements and give cloud consumers a standard checklist for evaluating the security of cloud services.