Data Protection in the Cloud - Are We Fooling Ourselves?

How many organizations currently transfer sensitive data to the cloud? Who should be responsible for looking after that data? Are organizations capable of protecting their data once it has been transferred to the cloud? And how do organizations apply encryption to protect data in the cloud?

These are just some of the questions that our brand new study – Encryption in the Cloud – answers. The study is based on a global survey carried out by the Ponemon Institute (News - Alert) of over 4,000 business and IT managers. The findings are fascinating and provide a comprehensive picture of how organizations around the world approach the topic of protecting their sensitive data assets in the cloud environment.

We all know that in general, the cloud has already become central to the IT strategy of many organizations around the world, but I expected to hear that organizations took a much more cautious approach when it comes to their more security sensitive business processes and data.

But surprisingly, about half of respondents said their organization already entrusts sensitive or confidential data to the cloud. Another third said that their organization is very likely to go down the same path in the next twenty-four months – only 18 percent that said they have no intention of risking confidential data in the cloud.

And once again we see that economics seems to trump security. Of the respondents that have already moved sensitive business processes to the cloud, 39 percent of them believe cloud adoption has in fact decreased the security posture of their organisations, and only 10 percent think it’s been a net security benefit. 

Next we looked at the issue of security posture from a different perspective, and the findings seem to explode the notion that the security savvy are standing back and allowing the less sophisticated to fall into the cloud security trap.

The survey shows that it is in fact the organizations with the strongest security postures that are more likely to move sensitive data to the cloud, and that those with weaker security postures tend to be more resistant. The obvious interpretation to make from this finding is that those organizations which understand information security better – the risks, regulations and measures available to counter security threats – are more likely to take advantage of the businesses benefits the cloud provides.

That actually sounds quite comforting, but the picture changes when we asked about responsibility and confidence. We focus on those that are currently transferring sensitive or confidential data to the cloud and ask them who is responsible for protecting it. The answer was surprising; nearly two -thirds considered the cloud service provider to be primarily responsible and only 19 percent thought the responsibility was shared between the cloud provider and the organization using the cloud service.

Worse still, only half of those that expected the provider to protect the data thought that they were actually capable of doing so – not surprising when nearly two thirds said that they didn’t even know what measures their service provider was taking to provide security.  

Finally, we examined the use of encryption. This survey is part of a broader global encryption trends study. We already knew that encryption is becoming a critical data protection tool, and we were keen to understand how it is used in the cloud.

Thirty-five percent of respondents said their organizations encrypt sensitive data before it ever leaves their organization, presumably on the assumption they don’t trust the cloud, whereas 27 percent rely on encryption being applied in the cloud to protect their data. That’s interesting, but of course the issue is that regardless of where encryption is deployed the net security is still driven by the measures that are put in place to protect and control the keys. You’d expect that those who perform encryption themselves, inside their organization, would keep control of the keys, but the survey showed that less than half retain exclusive control of the keys.

Furthermore, for organizations that rely on encryption, only 32 percent retain control of the keys and 35 percent believe that the cloud service provider should have sole responsibility for managing keys. With the news last week about the breach at DropBox, that sort of approach might raise a few eyebrows, particularly from your auditor!

To download a copy of the report, click here.

Want to learn more about cloud communications? Then be sure to attend the Cloud Communications Expo, collocated with ITEXPO West 2012 taking place Oct 2-5, in Austin, TX. The Cloud Communications Expo will address the growing need of businesses to integrate and leverage cloud based communications applications, process enhancement techniques, and network based communications interfaces and architectures. For more information on registering for the Cloud Communications Expo click here.

Stay in touch with everything happening at Cloud Communications Expo. Follow us on Twitter.