Rawpixel - Fotolia

Cloud adoption still outpacing security capability, study finds

Many companies are still not applying the best technologies, policies and procedures to ensure sensitive data is protected in the cloud

Cloud data security is still a major challenge for companies, with only one-third of sensitive data in cloud applications being protected by encryption, a study shows.

Most organisations are still focusing on basic security techniques such as passwords to protect sensitive and confidential customer information, according to the Gemalto 2016 Global Cloud Data Security Study by the Ponemon Institute.

The study, which surveyed more than 3,400 IT and IT security practitioners, revealed that despite the continued importance of cloud computing resources to organisations, companies are not adopting appropriate governance and security measures to protect sensitive data in the cloud.

According to 73% of respondents, cloud-based services and platforms are considered important to their organisation’s operations and 81% said they would be more so over the next two years.

However, 54% of respondents said their companies do not have a proactive approach to managing security and complying with privacy and data protection regulations in cloud environments.

This is despite the fact that 65% said their organisations are committed to protecting confidential or sensitive information in the cloud. Also, 56% did not agree that their organisation is careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and suppliers.

“Cloud security continues to be a challenge for companies, especially in dealing with the complexity of privacy and data protection regulations,” said Larry Ponemon, chairman and founder of the Ponemon Institute.

“To ensure compliance, it is important for companies to consider deploying such technologies as encryption, tokenisation or other cryptographic solutions to secure sensitive data transferred and stored in the cloud.”

Struggling to maintain control

While organisations have embraced the cloud with its benefits of cost and flexibility, they are still struggling to maintain control of their data and compliance in virtual environments,  said Jason Hart, vice-president and chief technology officer for data protection at security firm Gemalto.

“It is quite obvious that security measures are not keeping pace because the cloud challenges traditional approaches of protecting data when it was just stored on the network,” he said. “It is an issue that can only be solved with a data-centric approach in which IT organisations can uniformly protect customer and corporate information across the dozens of cloud-based services their employees and internal departments rely on every day.”

The five key findings of the report are that:

  • Shadow IT continues to be a major stumbling block to cloud security.
  • Conventional security practices do not apply in the cloud.
  • More customer information is being stored in the cloud and is considered the data most at risk.
  • Encryption is important but not yet pervasive in the cloud.
  • Many companies still rely on passwords to secure user access to cloud services.

According to survey respondents, 49% of cloud services are deployed by departments other than corporate IT, and an average of 47% of corporate data stored in cloud environments is not managed or controlled by the IT department.

Only 21% of respondents said members of the security team are involved in the decision-making process about using certain cloud application or platforms, while 64% also said their organisations do not have a policy that requires use of security safeguards, such as encryption, as a condition to using certain cloud computing applications.

However, the study revealed that confidence in knowing all cloud computing services in use is increasing, with 54% of respondents saying they are confident that the IT organisation knows all cloud computing applications, platform or infrastructure services that are in use.

Just over half (54%) of respondents said it was more difficult to protect confidential or sensitive information when using cloud services, with 53% citing difficulty in controlling or restricting end-user access, up from 48% in 2014. Other challenges include the inability to apply conventional information security in cloud environments (70%) and the inability to directly inspect cloud providers for security compliance (69%).

According to the survey, customer information, emails, consumer data, employee records and payment information are the types of data most often stored in the cloud. The storage of customer information in the cloud has increased the most, up from 53% in 2014 to 62% today, with 53% also considering customer information the data most at risk in the cloud.

In the UK, customer information is the most common type of data stored in the cloud (59%), ahead of financial business information (47%) and email (45%).

Read more about cloud security

While 72% of respondents said the ability to encrypt or tokenise sensitive or confidential data is important, encryption is not yet widely deployed in the cloud, the study shows, with only 34% of respondents saying their organisation encrypts or tokenises sensitive or confidential data directly within cloud-based applications.

Just over two-thirds of respondents said the management of user identities is more difficult in the cloud than on-premises. However, the study found that organisations are not adopting measures that are easy to implement and could increase cloud security.

For example, 45% of companies are not using multi-factor authentication to secure employee and third-party access to applications and data in the cloud, which means many are still relying on user names and passwords to validate identities.

More data put at risk

As a result, more data is put at risk because 58% of respondents said their organisations have third-party users accessing their data and information in the cloud.

The new realities of cloud-based IT mean IT organisations need to set comprehensive policies for data governance and compliance, create guidelines for sourcing cloud services, and establish rules for what data can and cannot be stored in the cloud, the report said.

The report said IT organisations can accomplish their mission to protect corporate data while being an enabler of shadow IT by implementing data security measures such as encryption that allow them to protect data in the cloud in a centralised way, as their internal organisations source cloud-based services as needed.

As companies store more data in the cloud and use more cloud-based services, the report said IT organisations need to put greater emphasis on stronger access controls with multi-factor authentication, especially where third parties and suppliers are allowed access.

Read more on Cloud security