Moving Sensitive Data to Cloud Storage Can Put Businesses at Risk
More than eight in 10 businesses have moved or plan to move sensitive or confidential data to a cloud-based platform, according to a global survey of 4,000 business and IT managers conducted by security research organization Ponemon Institute and commissioned by information systems and communications security specialist Thales.
However, businesses have a ways to go when it comes to understanding how to protect that critical data and whose responsibility it is, the study, entitled "Encryption in the Cloud," found.
About half the respondents said their organizations currently transfer sensitive or confidential data to the cloud. Of those, 64 percent believe the cloud provider has primary responsibility for protecting that data, but nearly two-thirds of respondents say they do not know what cloud providers are actually doing to protect the sensitive or confidential data entrusted to them.
Thirty-six percent of respondents say their organization has primary responsibility for managing the keys, while 22 percent said the cloud provider has primary responsibility for encryption key management. The study showed that even in cases where encryption is performed inside the enterprise, more than half of the respondents hand over control of the keys to the cloud provider.
"It's a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though 39 percent admit that their security posture has been reduced as a result," Larry Ponemon, chairman and founder of the Ponemon Institute, said in a press statement. "This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns.
"However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment--possibly because they most understand how and where to use tools such as encryption to protect their data and retain control," Ponemon said.
The study showed an almost even split between respondents who say their organization applies persistent encryption to data before it is transferred to the cloud provider and those who say they rely on encryption that is applied within the cloud environment. Another one-third of respondents said their organizations are very likely to transfer sensitive or confidential data to the cloud within the next two years, suggesting the risks of a breach will increase as more companies jump on the cloud storage bandwagon.
"Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data," Richard Moulds, vice president of strategy at Thales e-Security, said in prepared remarks. "However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately.
"Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it s important to know you can still keep control of your keys. If you control the keys, you control the data," Moulds said.