Infosec 2014: Firms moving to cloud despite security fears, study shows

Businesses are moving sensitive or confidential data into public cloud services, despite security fears, a study shows

Businesses are moving sensitive or confidential data into public cloud services, despite security fears, an independent global study has revealed.

Almost a third of companies doing so expect a negative impact on security posture, according to the Encryption in the Cloud report, launched at Infosecurity Europe 2014 in Earls Court, London.

In response, the use of encryption is increasing, but more than half of respondents admit sensitive data goes unprotected in the cloud, according to the report by the Ponemon Institute.

The study, sponsored by security firm Thales, polled more than 4,000 organisations around the world about who is responsible for security in the cloud and how best to protect the sensitive data in the cloud.

The study found the use of the cloud for processing and storing sensitive data is inevitable, with more than half of respondents saying their organisation already uses the cloud for sensitive or confidential data.

Just 11% said their organisation had no plans to use the cloud for sensitive operations, down from 19% two years ago.

The study found that almost half of respondents believe their use of the cloud has had no impact on their overall security posture.

However, those that believe it has had a negative effect (34%) on their security posture outnumbered those who thought it had a positive effect (17%) by two to one.

The study revealed that perceived responsibility for protecting sensitive data in the cloud is dependent on the type of cloud service. 

In software as a service (SaaS) environments, more than half of respondents see the cloud provider as being primarily responsible for security.

In contrast, almost half of infrastructure as a service (IaaS) and platform as a service (PaaS) users view security as a shared responsibility between the user and cloud provider.

The study found that visibility in the security practices of cloud providers is increasing, with 35% of respondents considering themselves knowledgeable about the security practices of their cloud providers, compared with 29% two years ago.

But half of SaaS users still claim to have no knowledge of what steps their providers are taking to secure sensitive data.

“Staying in control of sensitive or confidential data is paramount for most organisations, and yet our survey shows they are transferring ever more of their most valuable data assets to the cloud,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“It is perhaps a sign of confidence that organisations with the highest overall security posture were most likely to use the cloud for operations involving sensitive data, and it is encouraging to find that significantly fewer respondents believe use of the cloud is weakening their security posture,” he said.

However, Ponemon said there are still concerns that many organisations continue to believe their cloud providers are solely responsible for protecting sensitive data even though most respondents claim not to know what specific security measures their cloud provider is taking.

The study found that while the use of encryption is increasing, data still exposed.

For SaaS users, the study revealed an increase from 32% in 2011 to 39% in 2013, and IaaS/PaaS users report an increase from 17% to 26% over the same period, but still, more than half of respondents said their sensitive data is in clear text, and therefore readable when stored in the cloud.

There is currently an almost equal division in terms of how stored data is encrypted while in the cloud, the study revealed.

Of those respondents that encrypt stored data, just over half apply encryption directly within in the cloud with just over 40% electing to encrypt the data before it is sent to the cloud.

When it comes to key management there is a clear recognition of the importance of retaining ownership of encryption keys, with 34% of respondents reporting that their own organisation is in control of encryption keys when data is encrypted in the cloud.

Only 18 percent of respondents said that the cloud provider has full control over keys.

The need to share keys between organisations and the cloud highlights the growing interest in key management standards, the report found.

There is particularly high interest in the OASIS Key Management Interoperability Protocol (KMIP), with 54% of respondents identifying cloud based applications and storage encryption as the area to be most impacted by the adoption of the KMIP standard.

“Encryption is the most widely proven method to secure sensitive data in the enterprise and in the cloud, and yet more than half of respondents report that sensitive data in the cloud goes unprotected,” said Richard Moulds, vice-president strategy, Thales e-Security.

“Those that are using encryption have adopted a variety of deployment strategies, but once again a universal pain point is key management,” he said.

According to Moulds, the way keys are managed often makes all the difference with poor implementations, dramatically reducing effectiveness and driving up costs.

“Key management is a critical control issue for respondents, who are increasingly focused on retaining ownership of keys as a way to control access to data,” he said.

Deployed correctly, Moulds said encryption can help organisations migrate sensitive data and high-risk applications to the cloud.

“This will enable them to unlock safely the full potential for economic benefit the cloud can deliver,” he said.

Read more on Cloud security